Sean Metcalf

I improve security for enterprises around the world working for TrustedSec & I am @PyroTek3 on Twitter. Read the About page (top left) for information about me. :) https://adsecurity.org/?page_id=8

Author's posts

Dec 15 2014

Detecting MS14-068 Kerberos Exploit Packets on the Wire aka How the PyKEK Exploit Works

By Sean Metcalf in Microsoft Security, Technical Reference

MS14-068 References: AD Kerberos Privilege Elevation Vulnerability: The Issue Detailed Explanation of MS14-068 MS14-068 Exploit POC with the Python Kerberos Exploitation Kit (aka PyKEK) Exploiting MS14-068 Vulnerable Domain Controllers Successfully with the Python Kerberos Exploitation Kit (PyKEK) This post shows the packet captures I performed using WireShark on the Domain Controllers during stage 1 and …

ActiveDirectory, CVE-2014-6324POC, DomainController, KaliLinux, KB3011780, KDC, Kerberos, KerberosChecksumVulnerability, KerberosHacking, KerberosPacketCapture, mimikatz, MS14068, MS14068Exploit, MS14068ExploitCode, MS14068ExploitPacketCapture, PAC, PoC, PowerShellCode, PyKEK, PyKEKPackets, PythonKerberosExploitationKit, WireShark

Dec 07 2014

Exploiting MS14-068 Vulnerable Domain Controllers Successfully with the Python Kerberos Exploitation Kit (PyKEK)

By Sean Metcalf in Microsoft Security, Technical Reference

MS14-068 References: AD Kerberos Privilege Elevation Vulnerability: The Issue Detailed Explanation of MS14-068 MS14-068 Exploit POC with the Python Kerberos Exploitation Kit (aka PyKEK) Detecting PyKEK Kerberos Packets on the Wire aka How the MS14-068 Exploit Works After re-working my lab a bit, I set about testing the MS14-068 POC that Sylvain Monné posted to …

Dec 06 2014

MS14-068 Kerberos Vulnerability Privilege Escalation POC Posted (PyKEK)

By Sean Metcalf in Microsoft Security, Technical Reference

As noted in previous posts on MS14-068, including a detailed description, a Kerberos ticket with an invalid PAC checksum causes an unpatched Domain Controller to accept invalid group membership claims as valid for Active Directory resources. The MS14-068 patch modifies KDC Kerberos signature validation processing on the Domain Controller. This issue is FAR worse than …

ActiveDirectory, CVE-2014-6324POC, KB3011780, KDC, Kerberos, KerberosChecksumVulnerability, KerberosHacking, MetaSploit, MS14068, MS14068ExploitCode, PAC, PoC, PyKEK, PythonKerberosExploitationKit

Dec 05 2014

Windows Computer Primary Group IDs

By Sean Metcalf in PowerShell, Technical Reference

Primary Group IDs are the RIDs for the Domain groups. The full list is here: Interesting Windows Computer & Active Directory Well-Known Security Identifiers (SIDs). 515 – Domain Computers 516 – Domain Controllers (writable) 521 – Domain Controllers (Read-Only) This information helps filter computer objects to return only the desired computer type. Domain Computers (Workstation …

ActiveDirectory, DomainControllers, FindingDCs, FindingDomainComputer, FindingRODCs, PowerShellCode, PrimaryGroupID, ReadOnlyDomainController, WindowsComputer

Nov 25 2014

BlueHat Security Briefings: Fall 2014 Sesions

By Sean Metcalf in Continuing Education, Microsoft Security, Security Conference Presentation/Video

Microsoft has posted videos and slides from the Microsoft internal “BlueHat” security conference from October 2014. BlueHat Security Briefings educate Microsoft engineers and executives on current and emerging security threats as part of continuing efforts to help protect our customers and secure our products, devices, and services. BlueHat serves as a great opportunity for invited …

BlueHat2014Videos, BlueHatSecurityConference, MicrosoftBlueHat14

Nov 24 2014

Microsoft Consolidated Technology Conference: Microsoft Ignite

By Sean Metcalf in Continuing Education

Microsoft announced over the Summer they are merging the individual technology conferences such as the SharePoint Conference, Exchange Conference, and TechEd into a single unified technology conference. Details are finally available for the Microsoft Ignite Conference which promises to be the conference to attend if you are interested in Microsoft technology solutions. Who is Ignite …

MicrosoftIgniteConference2015, TechEd2015

Nov 22 2014

Mimikatz and Active Directory Kerberos Attacks

By Sean Metcalf in Microsoft Security, Technical Reference

NOTE: While this page will remain, the majority of the Mimikatz information in this page is now in the “Unofficial Mimikatz Guide & Command Reference” which will be updated on a regular basis. Mimikatz is the latest, and one of the best, tool to gather credential data from Windows systems. In fact I consider Mimikatz …

Nov 21 2014

MS14-068: Active Directory Kerberos Vulnerability Patch for Invalid Checksum

By Sean Metcalf in Microsoft Security, Technical Reference

MS14-068 References: AD Kerberos Privilege Elevation Vulnerability: The Issue Detailed Explanation of MS14-068 MS14-068 Exploit POC with the Python Kerberos Exploitation Kit (aka PyKEK) Exploiting MS14-068 Vulnerable Domain Controllers Successfully with the Python Kerberos Exploitation Kit (PyKEK) PyKEK Kerberos Packets on the Wire aka How the MS14-068 Exploit Works The folks at BeyondTrust have …

ActiveDirectory, KB3011780, Kerberos, KerberosHacking, KerberosInvalidChecksum, KerberosVulnerability, MS14-068, MS14068, MS14068Patch, PACValidation

Nov 21 2014

Microsoft KB2871997: Back-Porting Windows 8.1/Win2012R2 Enhanced Security & Pass The Hash Mitigation to Windows 7, Windows 8, & Windows 2008R2

By Sean Metcalf in Microsoft Security, Technical Reference

In June 2014, Microsoft released KB2871997 which takes many of the enhanced security protection mechanisms built into Windows 8.1 & Windows Server 2012 R2 and “back-ports” them to Windows 7, Windows 8, Windows Server 2008R2, and Windows Server 2012. The enhanced security features reduce the credential data stored in memory and supports modern authentication (Kerberos …

Clear-TextCredentials, DigestAuthentication, InteractiveLogon, KB2871997, Kerberos, Local_Account, LOCAL_ACCOUNT_AND_MEMBER_OF_ADMINISTRATORS_GROUP, LSASS, mstsc /RestrictedAdmin, NetworkLogon, PassTheHash, ProtectedUsers, RestrictedAdminRDP, UseLogonCredential, Windows7, Windows8, Windows8.1, WindowsServer2008R2, WindowsServer2012R2

Nov 19 2014

Kerberos Vulnerability in MS14-068 (KB3011780) Explained

By Sean Metcalf in Microsoft Security, Technical Reference

Thanks to Gavin Millard (@gmillard on Twitter), we have a graphic that covers the issue quite nicely (wish I had of thought of it!) Exploit Code is now on the net! As of December 4th, 2014, there is Proof of Concept (POC) code posted that exploits MS14-068 by Sylvain Monné by using Python to interact with …

KB3011780, KerberosGoldenTicket, KerberosHacking, KerberosInvalidChecksum, KerberosVulnerability, MS14-068, MS14068

Sean Metcalf

Author's posts

Detecting MS14-068 Kerberos Exploit Packets on the Wire aka How the PyKEK Exploit Works

Exploiting MS14-068 Vulnerable Domain Controllers Successfully with the Python Kerberos Exploitation Kit (PyKEK)

MS14-068 Kerberos Vulnerability Privilege Escalation POC Posted (PyKEK)

Windows Computer Primary Group IDs

BlueHat Security Briefings: Fall 2014 Sesions

Microsoft Consolidated Technology Conference: Microsoft Ignite

Mimikatz and Active Directory Kerberos Attacks

MS14-068: Active Directory Kerberos Vulnerability Patch for Invalid Checksum

Microsoft KB2871997: Back-Porting Windows 8.1/Win2012R2 Enhanced Security & Pass The Hash Mitigation to Windows 7, Windows 8, & Windows 2008R2

Kerberos Vulnerability in MS14-068 (KB3011780) Explained

Recent Posts

Active Directory & Entra ID Security Services

Popular Posts

Categories

Recent Posts

Recent Comments

Archives

Categories

Meta

Copyright

Sean Metcalf

Author's posts

Recent Posts

Active Directory & Entra ID Security Services

Popular Posts

Categories

Tags

Recent Posts

Recent Comments

Archives

Categories

Meta

Copyright