Active Directory & Enterprise Security, Methods to Secure Active Directory, Attack Methods & Effective Defenses, PowerShell, Tech Notes, & Geek Trivia…

Category: Microsoft Security

Dec 26 2014

Interesting Windows Computer & Active Directory Well-Known Security Identifiers (SIDs)

By Sean Metcalf in Microsoft Security, Technical Reference

The Microsoft Knowledge Base article KB243330 lists the well-known security identifiers in Windows operating systems Listed here are the more interesting ones from the article as well as some additional ones. Local Computer SIDs SID: S-1-5-2 Name: Network Description: A group that includes all users that have logged on through a network connection. Membership is …

ActiveDirectorySIDs, Administrators, DomainAdmins, EnterpriseAdmins, GroupSID, WindowsSIDs

Dec 15 2014

Detecting MS14-068 Kerberos Exploit Packets on the Wire aka How the PyKEK Exploit Works

By Sean Metcalf in Microsoft Security, Technical Reference

MS14-068 References: AD Kerberos Privilege Elevation Vulnerability: The Issue Detailed Explanation of MS14-068 MS14-068 Exploit POC with the Python Kerberos Exploitation Kit (aka PyKEK) Exploiting MS14-068 Vulnerable Domain Controllers Successfully with the Python Kerberos Exploitation Kit (PyKEK) This post shows the packet captures I performed using WireShark on the Domain Controllers during stage 1 and …

ActiveDirectory, CVE-2014-6324POC, DomainController, KaliLinux, KB3011780, KDC, Kerberos, KerberosChecksumVulnerability, KerberosHacking, KerberosPacketCapture, mimikatz, MS14068, MS14068Exploit, MS14068ExploitCode, MS14068ExploitPacketCapture, PAC, PoC, PowerShellCode, PyKEK, PyKEKPackets, PythonKerberosExploitationKit, WireShark

Dec 07 2014

Exploiting MS14-068 Vulnerable Domain Controllers Successfully with the Python Kerberos Exploitation Kit (PyKEK)

By Sean Metcalf in Microsoft Security, Technical Reference

MS14-068 References: AD Kerberos Privilege Elevation Vulnerability: The Issue Detailed Explanation of MS14-068 MS14-068 Exploit POC with the Python Kerberos Exploitation Kit (aka PyKEK) Detecting PyKEK Kerberos Packets on the Wire aka How the MS14-068 Exploit Works After re-working my lab a bit, I set about testing the MS14-068 POC that Sylvain Monné posted to …

Dec 06 2014

MS14-068 Kerberos Vulnerability Privilege Escalation POC Posted (PyKEK)

By Sean Metcalf in Microsoft Security, Technical Reference

As noted in previous posts on MS14-068, including a detailed description, a Kerberos ticket with an invalid PAC checksum causes an unpatched Domain Controller to accept invalid group membership claims as valid for Active Directory resources. The MS14-068 patch modifies KDC Kerberos signature validation processing on the Domain Controller. This issue is FAR worse than …

ActiveDirectory, CVE-2014-6324POC, KB3011780, KDC, Kerberos, KerberosChecksumVulnerability, KerberosHacking, MetaSploit, MS14068, MS14068ExploitCode, PAC, PoC, PyKEK, PythonKerberosExploitationKit

Nov 25 2014

BlueHat Security Briefings: Fall 2014 Sesions

By Sean Metcalf in Continuing Education, Microsoft Security, Security Conference Presentation/Video

Microsoft has posted videos and slides from the Microsoft internal “BlueHat” security conference from October 2014. BlueHat Security Briefings educate Microsoft engineers and executives on current and emerging security threats as part of continuing efforts to help protect our customers and secure our products, devices, and services. BlueHat serves as a great opportunity for invited …

BlueHat2014Videos, BlueHatSecurityConference, MicrosoftBlueHat14

Nov 22 2014

Mimikatz and Active Directory Kerberos Attacks

By Sean Metcalf in Microsoft Security, Technical Reference

NOTE: While this page will remain, the majority of the Mimikatz information in this page is now in the “Unofficial Mimikatz Guide & Command Reference” which will be updated on a regular basis. Mimikatz is the latest, and one of the best, tool to gather credential data from Windows systems. In fact I consider Mimikatz …

Nov 21 2014

MS14-068: Active Directory Kerberos Vulnerability Patch for Invalid Checksum

By Sean Metcalf in Microsoft Security, Technical Reference

MS14-068 References: AD Kerberos Privilege Elevation Vulnerability: The Issue Detailed Explanation of MS14-068 MS14-068 Exploit POC with the Python Kerberos Exploitation Kit (aka PyKEK) Exploiting MS14-068 Vulnerable Domain Controllers Successfully with the Python Kerberos Exploitation Kit (PyKEK) PyKEK Kerberos Packets on the Wire aka How the MS14-068 Exploit Works The folks at BeyondTrust have …

ActiveDirectory, KB3011780, Kerberos, KerberosHacking, KerberosInvalidChecksum, KerberosVulnerability, MS14-068, MS14068, MS14068Patch, PACValidation

Nov 21 2014

Microsoft KB2871997: Back-Porting Windows 8.1/Win2012R2 Enhanced Security & Pass The Hash Mitigation to Windows 7, Windows 8, & Windows 2008R2

By Sean Metcalf in Microsoft Security, Technical Reference

In June 2014, Microsoft released KB2871997 which takes many of the enhanced security protection mechanisms built into Windows 8.1 & Windows Server 2012 R2 and “back-ports” them to Windows 7, Windows 8, Windows Server 2008R2, and Windows Server 2012. The enhanced security features reduce the credential data stored in memory and supports modern authentication (Kerberos …

Clear-TextCredentials, DigestAuthentication, InteractiveLogon, KB2871997, Kerberos, Local_Account, LOCAL_ACCOUNT_AND_MEMBER_OF_ADMINISTRATORS_GROUP, LSASS, mstsc /RestrictedAdmin, NetworkLogon, PassTheHash, ProtectedUsers, RestrictedAdminRDP, UseLogonCredential, Windows7, Windows8, Windows8.1, WindowsServer2008R2, WindowsServer2012R2

Nov 19 2014

Kerberos Vulnerability in MS14-068 (KB3011780) Explained

By Sean Metcalf in Microsoft Security, Technical Reference

Thanks to Gavin Millard (@gmillard on Twitter), we have a graphic that covers the issue quite nicely (wish I had of thought of it!) Exploit Code is now on the net! As of December 4th, 2014, there is Proof of Concept (POC) code posted that exploits MS14-068 by Sylvain Monné by using Python to interact with …

KB3011780, KerberosGoldenTicket, KerberosHacking, KerberosInvalidChecksum, KerberosVulnerability, MS14-068, MS14068

Nov 18 2014

MS14-068: Vulnerability in (Active Directory) Kerberos Could Allow Elevation of Privilege

By Sean Metcalf in Microsoft Security, Technical Reference

Active Directory leverages the Kerberos protocol for authentication. The vulnerability patches an issue with how the Domain Controller validates group membership in Kerberos tickets (hint: the ticket is always validated by the DC if the checksum is set to certain values). Microsoft KB3011780 patches this issue. According to Microsoft: “When this security bulletin was issued, …

ActiveDirectory, CVE-2014-6324POC, DomainController, HackingKerberos, KB3011780, KDC, KDCVulnerability, Kerberos, KerberosAttack, KerberosGoldentTicket, KerberosSilverTicket, KerberosVulnerability, MicrosoftPatch, mimikatz, MS14-068, MS14068, MS14068Exploit, MS14068POC, PAC, SPN

Copyright

Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned. Content Ownership: All content posted here is intellectual work and under the current law, the poster owns the copyright of the article. Terms of Use Copyright © 2011 - 2020.

Made with by Graphene Themes.

Category: Microsoft Security

Interesting Windows Computer & Active Directory Well-Known Security Identifiers (SIDs)

Detecting MS14-068 Kerberos Exploit Packets on the Wire aka How the PyKEK Exploit Works

Exploiting MS14-068 Vulnerable Domain Controllers Successfully with the Python Kerberos Exploitation Kit (PyKEK)

MS14-068 Kerberos Vulnerability Privilege Escalation POC Posted (PyKEK)

BlueHat Security Briefings: Fall 2014 Sesions

Mimikatz and Active Directory Kerberos Attacks

MS14-068: Active Directory Kerberos Vulnerability Patch for Invalid Checksum

Microsoft KB2871997: Back-Porting Windows 8.1/Win2012R2 Enhanced Security & Pass The Hash Mitigation to Windows 7, Windows 8, & Windows 2008R2

Kerberos Vulnerability in MS14-068 (KB3011780) Explained

MS14-068: Vulnerability in (Active Directory) Kerberos Could Allow Elevation of Privilege

Recent Posts

Trimarc Active Directory Security Services

Popular Posts

Categories

Recent Posts

Recent Comments

Archives

Categories

Meta

Copyright

Category: Microsoft Security

Recent Posts

Trimarc Active Directory Security Services

Popular Posts

Categories

Tags

Recent Posts

Recent Comments

Archives

Categories

Meta

Copyright