Lucene search

K
myhack58佚名MYHACK58:62201994853
HistoryJul 03, 2019 - 12:00 a.m.

Binding CVE-2019-1040 vulnerability of the two domains provide the right depth of analysis-vulnerability warning-the black bar safety net

2019-07-0300:00:00
佚名
www.myhack58.com
221

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.055 Low

EPSS

Percentile

92.4%

2019, 6 month, Microsoft released a security update. The update for CVE-2019-1040 vulnerability to repair. This vulnerability, an attacker could man in the middle attacks, bypassing the NTLM MIC(message integrity check protection, the authentication traffic is relayed to the target server.
Through this attack so that the attacker only has a regular domain account of the case can remote control a Windows domain from any machine, including Domain Control server.

0x01 exploit
Attack mode one: the Exchange
Verification environment:
Role
System version
Computer name
IP address
Domain
Attacker
Ubuntu Server 18.04
ubuntu
192.168.123.69
DC
Windows Server 2012 R2
topsec-dc
192.168.123.150
test. local
Exchange
Windows Server 2012 R2
topsec
192.168.123.143
test. local
Verification process:
① Environment to build
Installation and configuration domain controller
Installation and configuration of Exchange Server, refer to[1]
In the domain create a new test account test
② Perform ntlmrelayx. py script for NTLM relay attacks, set the SMB Server and the authentication credentials to relay to the LDAP Protocol. Which–remove-mic options for clear MIC flag–escalate-user for lifting the specified user permissions.
!
③ Perform printerbug. py script, the trigger SpoolService bug.
!
SpoolService的bug导致Exchange服务器回连到ntlmrelayx.py that 即将认证信息发送到ntlmrelayx.py the. You can see in the image below the authentication of the user is TEST\TOPSEC$ on.
!
Then ntlmrelayx. py to start execution of the LDAP attacks, coupled with the-debug option you can see more detailed information.
First, by traversing the verification relay of the account where the user groups and permissions, find the current account can create users, you can modify the test. local domain ACL, because the domain of the Exchange Windows Permissions group of users is allowed to modify the ACL, as shown below:
!
The user group under the members it is the relay computer account TOPSEC
!
So the script will take the modified ACL to provide the right, because this compared to create the user’s way more hidden some. The specific way is through the LDAP modify domain security descriptor Security Descriptor can be in the following data package to see the ACL in each of the specific access control entry ACE Access Control Entries: the
!
⑤ Complete ACL after modification, the test can be by secretsdump. py DCSync function to dump out all of the password hash value:
!
Attack mode II: Kerberos delegation
Verification environment:
Role
System version
Computer name
IP address
Domain
Attacker
Ubuntu Server 18.04
ubuntu
192.168.123.69
DC
Windows Server 2012 R2
topsec-dc
192.168.123.212
test. local
SDC
Windows Server 2012 R2
topsec
192.168.123.62
test. local
Verification process:
① Environment to build
Installation and configuration domain controller, and turn on LDAPS support, because the attacks need to add a new computer account must be in the LDAPS is carried out. The open method of reference[2]
Install configure a secondary domain controller, refer to[3]
In the domain create a new test account topsec, a domain admin admin
② And attack the same one, the implementation of ntlmrelayx. py this, use the–delegate-access option, delegate-access option of the relay computer account here that is a secondary domain controller access privileges entrusted to the attacker’s.
!
③ The attacker to the secondary domain controller(SDC)executing printerbug. py script
!
printerbug. py script execution successful, will trigger a secondary domain controller(SDC)back to the connected Attacker host, the return Link used to authenticate the user is a secondary domain controller(SDC)the local computer account TEST/TOPSEC$ on.
ntlmrelayx. py through ldaps to the user account to relay to the domain controller server(DC), because this attack under the fraudulent use of identity TEST/TOPSEC$is not in the Exchange Windows Permissions group, do not have to modify the ACL permissions, but by this identity in DC on add a new computer account in the following figure EJETBTTB$, and modify its constraints delegation of authority, granted to it on the victims computer, the secondary domain controller the delegate permissions.
!
!
④ Use the getSP. py script by-impersonate parameter analog user admin requests to the ticket, save for the ccache, and the admin user to the Domain Admins group members, with the secondary domain controller(SDC)to manage and access.

[1] [2] [3] [4] [5] [6] next

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.055 Low

EPSS

Percentile

92.4%