-
Notifications
You must be signed in to change notification settings - Fork 211
ms14068
MS14-068
is a Windows vulnerability in the Key Distribution Center (KDC) service. It allows an authenticated user to insert an arbitrary PAC (a structure that represent all user rights) in its Kerberos ticket (the TGT).
https://technet.microsoft.com/library/security/ms14-068.aspx
In Windows domains, it permits privilege escalation (usually standard user
to domain/enterprise admin
)
The vulnerability is in the Key Distribution Center (KDC) of domain controllers. An user can obtain tickets by presenting a Kerberos TGT with an altered PAC.
Normally the KDC service detects a PAC alteration by verifying its signature (each KDC knows the secret symmetric key to check it)
The vulnerability: KDC service allows algorithms without keys (like MD4
, MD5
, SHA1
or CRC32
to be used. It means that any user can forge a PAC without knowing any secret key, and ask the KDC to include it in a ticket.
- (AS-REQ) User authenticates to a KDC, asking a TGT without a PAC.
- (PAC TIME) User creates a PAC with arbitrary data and seal it with an algorithm without keys (here,
MD5
). - (TGS-REQ) From its TGT, user asks a TGS for service
krbtgt
(TGT-like) with its fake PAC included. - (TGS-REQ) From its TGS, user asks another TGS for service
krbtgt
(TGT-like) - if vulnerable, fake PAC will be really signed by KDC here! - (KRB-CRED) From the final TGS, ticket is converted as KRB-CRED structure (to be saved on disk or injected in
LSA
)
Step 4. seems to be optional, but is necessary to use a TGT with a PAC well signed with a domain controller not vulnerable (load balancing).
-
/domain
- the fully qualified domain name of the target (ex:lab.local
) -
/user
- the username you want to use as authenticated user (any account allowed to logon is OK, ex:utilisateur
)
Then you can choose between:
-
/password
- the password of the user's account -
/key
- the derived key of the user's account, it can beRC4_HMAC_NT
(NTLM
),AES128_CTS_HMAC_SHA1_96
orAES256_CTS_HMAC_SHA1_96
By default, /key
and /password
will be used with RC4_HMAC_NT
algorithm, but you can specify /aes128
(AES128_CTS_HMAC_SHA1_96
) or /aes256
(AES256_CTS_HMAC_SHA1_96
)
Final usage is between:
-
/ticket
- optional - file name used to write ticket(s) on the disk - default is:tgt.kirbi
-
/ptt
- optional -Pass The Ticket
: no ticket will be written, first good ticket is injected inLSA
If not provided, these arguments can be recovered remotely by RPC/CLDAP, in this case: /password
is mandatory and /key
is not permitted.
-
/sid
- optional - the domain's SID (ex:S-1-5-21-1644491937-412668190-839522115
) -
/rid
- optional - the user's relative ID (ex:1105
) -
/kdc
- optional - the DC you want to use for all queries (ex:dc.lab.local
), if not provided, the program will select one automatically, then:- test all KDC in the domain
- when saving ticket in file: save each successful tickets in separate files, named like
%dcshortname%.%filename%.kirbi
- when
Pass The Ticket
: inject the first successful ticket inLSA
then break the loop - print a little repport at the end with the number of vulnerable servers vs the total.
-
/groups
- optional - relatives id of groups which the user will belong (first is primary group, comma separator) - default is:513,512,520,518,519
for the well-known Administrator's groups. -
/sids
- optional - externals SID (externals to the domain) to add.- an interesting SID is
S-1-5-21-root forest-519
(Enterprise Admins)
- an interesting SID is
-
KDC_ERR_WRONG_REALM (68)
: bad domain name -
KDC_ERR_PREAUTH_FAILED (24)
: bad password or key -
KDC_ERR_ETYPE_NOSUPP (14)
: you try to make AES on 2003 domain functional level (or algorithm is not allowed) -
KDC_ERR_SUMTYPE_NOSUPP (15)
:- NT6 target:
KB3011780
patch or > is installed
- NT6 target:
-
KRB_ERR_GENERIC (60)
:- NT5 target:
KB3011780
patch or > is installed - NT6 target: 2012 server or > is not vulnerable to this program
- NT5 target:
Others errors:
-
ERROR stringToKey ; LocacteCSystem: 80080341
: you try to use AES on a NT5 client (RC4 support only), please use a NT6 machine. -
ERROR [...] ; LsaCallAuthenticationPackage KerbSubmitTicketMessage : c000000d
: you try to makePass The Ticket
on a NT5 client. Like withmimikatz
, it’s a NT6 only feature.
- All DC without
KB3011780
patch or >, are vulnerable (like all Windows 2000)