Detecting MS14-068 Kerberos Exploit Packets on the Wire aka How the PyKEK Exploit Works

MS14-068 References:

This post shows the packet captures I performed using WireShark on the Domain Controllers during stage 1 and stage 2 of the attack.
Microsoft KB3011780 patches this issue.

Here are the full packet captures:

Stage 1 – Using PyKEK to inject a forged PAC into a valid TGT: ADSecurityOrg-MS14068-Exploit-KRBPackets

Stage 2 – Using Mimikatz to leverage the forged TGT into the user session & connect to the unpatched Domain Controller’s admin$ share: ADSecurityOrg-MS14068-Exploit-KRBPackets-TGTInjection-And-DC-AdminShare-Access

Note: Using the information posted here, it may be possible to create a Snort signature that can identify active MS14-068 exploitation on a network by looking at the TGS-REQ Kerberos packet that states “include-pac: False” (additionally, the AS-REQ packet earlier in the conversation also states “include-pac: False”)

Stage 1 Attack Packets: PyKEK requests and modifies a TGT

.The Python script performs a TGT request (Kerberos Authentication Service Request aka AS-REQ) and instead of requesting a TGT with a PAC (default AS-REQ), PyKEK requests a TGT with no PAC from the Domain Controller.

Once the script receives the valid TGT without a PAC from the DC, the script generates a PAC (with the group membership listed above) packages it in encrypted authorization data as part of a TGS request to the DC (Kerberos Ticket Granting Service Request aka TGS-REQ) to obtain another TGT (a new one with the PyKEK generated PAC).
“The vulnerable KDC will verify it with MD5 and give you another TGT with a PAC in it”.
This is the TGT that PyKEK saves to the ccache file used for stage 2.

Since PyKEK communicates with the Domain Controller for valid TGTs, the TGT is a valid ticket (other than the forged PAC it includes). To summarize, there are two TGTs involved in the process: the original one without a PAC as a result of the first AS-REQ and a second one the DC delivers in the TGS-REP with the PyKEK generated PAC.

NOTE: The TGT is technically not modified by PyKEK since it is encrypted by the KDC account (KRBTGT). The process the script uses results in a valid TGT with the PAC PyKEK created that is accepted by an unpatched DC. The genius part of this is that PyKEK uses the Kerberos AS & TGS exchanges to forge a PAC and have the DC place it into a new user TGT. Then when the TGT is presented later on in Stage 2 for a valid TGS, the PAC is accepted and its values carried on into the new TGS for a Kerberos service in AD.

From the post entitled “Exploiting MS14-068 Vulnerable Domain Controllers Successfully with the Python Kerberos Exploitation Kit (PyKEK)

c:\Temp\pykek> ms14-068.py -u darthsidious@lab.adsecurity.org -p TheEmperor99! -s S-1-5-21-1473643419-774954089-2222329127-1110 -d adsdc02.lab.adsecurity.org

[+] Building AS-REQ for adsdc02.lab.adsecurity.org… Done!
[+] Sending AS-REQ to adsdc02.lab.adsecurity.org… Done!

Stage 1 Packet #1: TGT request (AS-REQ) with no PAC.

Continue reading

Exploiting MS14-068 Vulnerable Domain Controllers Successfully with the Python Kerberos Exploitation Kit (PyKEK)

MS14-068 References:

After re-working my lab a bit, I set about testing the MS14-068 POC that Sylvain Monné posted to GitHub a few days ago. I configured a Windows 7 workstation with Python 2.7.8 and downloaded the PyKEK zip as well as the Mimikatz zip file.

The MS14-068.py Python script (part of PyKEK) can be run on any computer that has connectivity to the target Domain Controller.

I ran PyKEK against a Windows Server 2008 R2 Domain Controller not patched for MS14-068 using Kali Linux as well as a domain-joined Windows 7 workstation.

Note: All exploit stages can be executed without an admin account and can be performed on any computer on the network (including computers not domain-joined).
Microsoft KB3011780 patches this issue.

Updates:

12/13 Update: Added a section on How Does PyKEK Get a Forged PAC  into a TGT? with information on how PyKEK generates the forged TGT (valid TGT with a forged PAC).
12/8 Update: I added a Mitigation section at the end of the post as well as events from a patched Domain Controller when attempting to exploit (in the events section).
12/14 Update: I successfully ran the exploit using a non-domain joined Windows computer on the network without admin credentials.

MS14-068 Exploit Issues with Windows Server 2012 & 2012/R2:

I also stood up one Windows Server 2012 and one Windows Server 2012 R2 Domain Controller in the same site as the two unpatched Windows Server 2008 R2 DCs. None of the Domain Controllers in my lab.adsecurity.org AD Forest are patched for MS14-068.
After successfully running the PyKEK script to generate the TGT, I was unable to get a TGS successfully to exploit the 2008 R2 DC. After shutting down the 2012 & 2012R2 DCs, I could use the forged TGT to get a TGS and access the targeted 2008 R2 DC (ADSDC02).
PyKEK is only sometimes successful when there is an unpatched DC and a patched DC in the same Active Directory site. The same behavior is noted when there is an unpatched Windows Server 2008 R2 DC and a Windows Server 2012 DC in the same site. Successful exploit depends on what DC PyKEK connects to.

Staging the Attack:

The targeted user account in this post is “Darth Sidious” (darthsidious@lab.adsecurity.org). Note that this user is a member of Domain Users and a Workstation group. This group membership stays the same throughout the activity in this post (I took the screenshot after exploiting the DC). Assume that this user is an authorized user on the network and wants to get Domain Admin rights to perform nefarious actions. The user already has a valid domain account and knows the password for the domain. This is no different from an attacker spearphishing this user and stealing their credentials as they get local admin rights on the computer.

ADS-DC-DarthSidious-Account-MemberOf-TabOnce the attacker has valid domain credentials (and local admin rights if Python install is required) on a computer on the network, they can leverage PyKEK to generate a forged TGT by performing standard communication with the target (unpatched) DC.

The PyKEK ms14-068.py Python script needs some information to successfully generate a forged TGT:

  • User Principal Name (UPN) [-u]: darthsidious@lab.adsecurity.org
  • User Password [-p]: TheEmperor99!
  • User Security IDentifier (SID) [-s]: S-1-5-21-1473643419-774954089-222232912
    7-1110
  • Targeted Domain Controller [-d]: adsdc02.lab.adsecurity.org

The SID can be found by running the “whoami” command while logged in as the target user.

DarthSidiousWhoAmI

You can also get this information from PowerShell by running :

 [Security.Principal.WindowsIdentity]::GetCurrent( )

ADS-PowerShell-WhoAMI-DS

As I noted in my previous post on PyKEK, the following group membership is included in the forged TGT:

  • Domain Users (513)
  • Domain Admins (512)
  • Schema Admins (518)
  • Enterprise Admins (519)
  • Group Policy Creator Owners (520)


Phase 1: Forging a TGT:

Here’s a screenshot of the exploit working in Kali Linux (1.09a)

Continue reading

MS14-068 Kerberos Vulnerability Privilege Escalation POC Posted (PyKEK)

As noted in previous posts on MS14-068, including a detailed description, a Kerberos ticket with an invalid PAC checksum causes an unpatched Domain Controller to accept invalid group membership claims as valid for Active Directory resources. The MS14-068 patch modifies KDC Kerberos signature validation processing on the Domain Controller.

This issue is FAR worse than the Kerberos “Golden Ticket” issue since an attacker doesn’t need the domain Kerberos service account (KRBTGT) NTLM password hash (only accessible from a Domain Controller with domain-level admin privileges) for exploit. The attacker simply modifies the existing TGT by changing the group membership to have access to everything in Active Directory and creates a specific invalid checksum for the PAC signature causing the DC to validate it.

If you haven’t installed the MS14-068 patch (released on November 18th, 2014), the exploit code is now available for all to use. Microsoft KB3011780 patches this issue.
Patch your Domain Controllers Now!

MS14-068 References:

UPDATE: I have successfully tested this MS14-068 exploit in my lab and posted detailed information on how to exploit Kerberos on vulnerable Domain Controllers including WireShark pcaps and DC event logs.

Sylvain Monné tweeted about his Python code (Python Kerberos Exploitation Kit aka PyKEK) late Thursday, December 4th, stating it can be used to exploit the Kerberos vulnerability patched in MS14-068.

MS14068-POC-TweetNote that the POC is effective against Domain Controllers running Windows Server 2008 R2 and earlier. Microsoft noted in the patch release that “Windows Server 2012 impact is less vulnerable than previous Windows versions (i.e., it’s much harder to exploit on Windows Server 2012/2012R2)

The POC is now in MetaSploit.

POC usage example:

ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr>
  [+] Building AS-REQ for dc-a-2003.dom-a.loc... Done!
  [+] Sending AS-REQ to dc-a-2003.dom-a.loc... Done!
  [+] Receiving AS-REP from dc-a-2003.dom-a.loc... Done!
  [+] Parsing AS-REP from dc-a-2003.dom-a.loc... Done!
  [+] Building TGS-REQ for dc-a-2003.dom-a.loc... Done!
  [+] Sending TGS-REQ to dc-a-2003.dom-a.loc... Done!
  [+] Receiving TGS-REP from dc-a-2003.dom-a.loc... Done!
  [+] Parsing TGS-REP from dc-a-2003.dom-a.loc... Done!
  [+] Creating ccache file 'TGT_user-a-1@dom-a.loc.ccache'... Done!

According to the PyKEK documentation, the modified TGT now has the following groups included:

  • Domain Users (513)
  • Domain Admins (512)
  • Schema Admins (518)
  • Enterprise Admins (519)
  • Group Policy Creator Owners (520)

Since the TGT is signed by the KDC Service (KRBTGT domain account), it is valid and can be used to access Active Directory resources based on the group membership (which was forged and now validated by the DC).

At this point, one can use Mimikatz to use the new TGT to connect to resources.

Two commands are all that’s necessary to exploit:

python.exe ms14-068.py -u user-a-1@dom-a.loc -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc
mimikatz.exe "kerberos::ptc TGT_user-a-1@dom-a.loc.ccache" exit`

 

Requirements:

The bar is fairly low in order to exploit MS14-068. Effectively admin rights on a single domain-joined computer is all that’s needed. The other items aren’t that difficult once this access is attained.

  • Admin access to a computer joined to the target domain
  • Access to domain credentials – a domain user account is fine.
  • Python exe’s on the computer.
  • Mimikatz on the computer

 

References:

 

 

 

 

Windows Computer Primary Group IDs

Primary Group IDs are the RIDs for the Domain groups. The full list is here: Interesting Windows Computer & Active Directory Well-Known Security Identifiers (SIDs).

  • 515 – Domain Computers
  • 516 – Domain Controllers (writable)
  • 521 – Domain Controllers (Read-Only)

This information helps filter computer objects to return only the desired computer type.

Domain Computers (Workstation & Servers – No Domain Controllers)

Import-Module ActiveDirectory
Get-ADComputer -Filter {PrimaryGroupID -eq 515}

Domain Controllers (All)

Import-Module ActiveDirectory
Get-ADComputer -Filter {PrimaryGroupID -ne 516}

Domain Controllers (RODCs only)

Import-Module ActiveDirectory
Get-ADComputer -Filter {PrimaryGroupID -eq 521}

 

BlueHat Security Briefings: Fall 2014 Sesions

Microsoft has posted videos and slides from the Microsoft internal “BlueHat” security conference from October 2014.

BlueHat Security Briefings educate Microsoft engineers and executives on current and emerging security threats as part of continuing efforts to help protect our customers and secure our products, devices, and services. BlueHat serves as a great opportunity for invited security researchers to informally connect with Microsoft engineers who are passionate about security, furthering a bidirectional exchange of ideas at the event.

The Following Session videos and slides are posted:

BlueHat 2014 Keynote – Chris Betz

Defining and Enforcing Intent Semantics at ABI level
(Sergey Bratus, Julian Bangert)
Dominant OS security policy designs treat a process as an opaque entity that has a “bag” of permissions to access some OS resources at any time, in any order. Now that the sensitive data that we most want to protect may never touch the filesystem or even cross a process boundary, these designs fail at their purpose. We introduce a design that has a much higher granularity of protection, yet is compatible with existing ABI, standard build chains, and binary utilities.

UEFI – Summary of Attacks against BIOS and Secure Boot
(Yuriy Bulygin)
A variety of attacks targeting platform firmware have been discussed publicly, drawing attention to the pre-boot and firmware components of the platform such as BIOS and SMM, UEFI secure boot and Full Disk Encryption solutions. This talk will detail and organize some of the attacks and how they work. We will cover attacks against BIOS write protection, attacks leveraging hardware configuration against SMM memory protections, attacks using vulnerabilities in SMI handlers, attacks against BIOS update implementations, attacks bypassing secure boot, and various other issues. We will describe underlying vulnerabilities and how to assess systems for these issues. After watching, you should understand how these attacks work, how they are mitigated, and how to verify if your system has any of these problems.

Botintime – Phoenix: DGA-based Botnet Tracking and Intelligence
(Stefano Zanero)
Its common knowledge that a malicious domain automatically generated will not become popular and also an attacker will register a domain with a Top Level Domain that does not require clearance. Hence, we use phoenix which filters out domains likely to be generated by humans. The core of Phoenix is its ability to separate DGA from non-DGA domains, using linguistic features.

View the BlueHat 2014 Videos and Slides

Microsoft Consolidated Technology Conference: Microsoft Ignite

Microsoft announced over the Summer they are merging the individual technology conferences such as the SharePoint Conference, Exchange Conference, and TechEd into a single unified technology conference.

Details are finally available for the Microsoft Ignite Conference which promises to be the conference to attend if you are interested in Microsoft technology solutions.

Who is Ignite for?

It’s for big thinkers looking for an edge. It’s for senior decision makers seeking what’s next, and who want insights on key technology trends in the industry. It’s for IT professionals who need hands-on experience to enhance their tech skills. It’s for enterprise developers and architects looking for innovative ways to maximize application development. It’s for those who want to feel inspired and enlightened. It’s for you.

Registration is now open!

Microsoft Ignite Conference
Chicago, IL
May 4 – 8, 2015

 

 

Mimikatz and Active Directory Kerberos Attacks

NOTE:
While this page will remain, the majority of the Mimikatz information in this page is now in the “Unofficial Mimikatz Guide & Command Reference” which will be updated on a regular basis.

Mimikatz is the latest, and one of the best, tool to gather credential data from Windows systems. In fact I consider Mimikatz to be the “swiss army knife” of Windows credentials – that one tool that can do everything. Since the author of Mimikatz, Benjamin Delpy, is French most of the resources describing Mimikatz usage is in French, at least on his blog. The Mimikatz GitHub repository is in English and includes useful information on command usage.

Mimikatz is a Windows x32/x64 program coded in C by Benjamin Delpy (@gentilkiwi) in 2007 to learn more about Windows credentials (and as a Proof of Concept). There are two optional components that provide additional features, mimidrv (driver to interact with the Windows kernal) and mimilib (AppLocker bypass, Auth package/SSP, password filter, and sekurlsa for WinDBG). Mimikatz requires administrator or SYSTEM and often debug rights in order to perform certain actions and interact with the LSASS process (depending on the action requested).

After a user logs on, a variety of credentials are generated and stored in the Local Security Authority Subsystem Service, LSASS, process in memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn’t prompted each time resource access is requested. The credential data may include NTLM password hashes, LM password hashes (if the password is <15 characters), and even clear-text passwords (to support WDigest and SSP authentication among others. While you can prevent a Windows computer from creating the LM hash in the local computer SAM database (and the AD database), though this doesn’t prevent the system from generating the LM hash in memory.

The majority of Mimikatz functionality is available in PowerSploit (PowerShell Post-Exploitation Framework) through the “Invoke-Mimikatz” PowerShell script which “leverages Mimikatz 2.0 and Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory. This allows you to do things such as dump credentials without ever writing the mimikatz binary to disk.”  Mimikatz functionality supported by Invoke-Mimikatz is noted below.
Continue reading

MS14-068: Active Directory Kerberos Vulnerability Patch for Invalid Checksum

MS14-068 References:

 

The folks at BeyondTrust have a great write-up on what the MS14-068 patch adds to mitigate the Kerberos ticket PAC validation vulnerability.
Continue reading

Kerberos Vulnerability in MS14-068 (KB3011780) Explained

Thanks to Gavin Millard (@gmillard on Twitter), we have a graphic that covers the issue quite nicely (wish I had of thought of it!)
Kerb-MS14-068-twitterpic-BoardingPass-Pilot

Exploit Code is now on the net!
As of December 4th, 2014, there is Proof of Concept (POC) code posted that exploits MS14-068 by Sylvain Monné by using Python to interact with an unpatched DC generating the invalid Kerberos ticket and then Mimikatz to use the ticket.
UPDATE: I have successfully tested the MS14-068 exploit in my lab and posted detailed information including WireShark pcaps and DC event logs.

MS14-068 References:

I wrote up a description of the issue that should help explain MS14-068 (KB3011780) without too much Kerberos technical overhead.

For more detail, please read my earlier blog post on MS14-068 (KB3011780).
Get Domain Controller patch status with this sample PowerShell script: Get-DCPatchStatus (rename file extension to .ps1).

Note that Windows Server 2012 impact is less vulnerable than previous Windows versions (i.e., it’s much harder to exploit on Windows Server 2012/2012R2), but all Domain Controllers should be patched ASAP, starting with DCs running Windows Server 2008R2 and below. Patch servers next and workstations last to support “defense-in-depth.” Additionally, Azure Active Directory doesn’t expose Kerberos over any external interface and is not affected by this vulnerability.

Introduction:

Active Directory leverages the Kerberos protocol for authentication. The vulnerability patches an issue with how the Domain Controller validates group membership in Kerberos tickets (hint: this issues is that the ticket is always validated by the DC if the checksum is set to certain values which are invalid).

According to Microsoft: “When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.”

This is FAR worse than the Kerberos “Golden Ticket” issue since an attacker doesn’t need the domain Kerberos service account (KRBTGT) NTLM password hash (only accessible from a Domain Controller with domain-level admin privileges) for exploit. The attacker simply modifies the existing TGT by changing the group membership to have access to everything in Active Directory and creates a specific invalid checksum for the PAC signature causing the DC to validate it.

 

MS14-068 Issue Overview:

Simply stated, the vulnerability enables an attacker to modify an existing, valid, domain user logon token (Kerberos Ticket Granting Ticket, TGT, ticket) by adding the false statement that the user is a member of Domain Admins (or other sensitive group) and the Domain Controller (DC) will validate that (false) claim enabling attacker improper access to any domain (in the AD forest) resource on the network. This is all done without changing the members of existing AD groups.
Continue reading