MS14-068
is a Windows vulnerability in the Key Distribution Center (KDC) service. It allows an authenticated user to insert an arbitrary PAC (a structure that represent all user rights) in its Kerberos ticket (the TGT).
> https://technet.microsoft.com/library/security/ms14-068.aspx
In Windows domains, it permits privilege escalation (usually standard user
to domain/enterprise admin
)
The vulnerability is in the Key Distribution Center (KDC - kdcsvc.dll
) of domain controllers. An user can obtain tickets by presenting a Kerberos TGT with an altered PAC.
Normally the KDC service detects a PAC alteration by verifying its signature (each KDC knows the secret symmetric key to check it)
The vulnerability: KDC service allows algorithms without keys (like MD4
, MD5
, SHA1
or CRC32
) to be used. It means that any user can forge a PAC without knowing any secret key, and ask the KDC to include it in a ticket.
MD5
).krbtgt
(TGT-like) with its fake PAC included.krbtgt
(TGT-like) - if vulnerable, fake PAC will be really signed by KDC here!LSA
)Step 4. seems to be optional, but is necessary to use a TGT with a PAC well signed with a domain controller not vulnerable (load balancing).
/domain
- the fully qualified domain name of the target (ex: lab.local
)/user
- the username you want to use as authenticated user (any account allowed to logon is OK, ex: utilisateur
)Then you can choose between:
/password
- the password of the userβs account/key
- the derived key of the userβs account, it can be RC4_HMAC_NT
(NTLM
), AES128_CTS_HMAC_SHA1_96
or AES256_CTS_HMAC_SHA1_96
By default, /key
and /password
will be used with RC4_HMAC_NT
algorithm, but you can specify /aes128
(AES128_CTS_HMAC_SHA1_96
) or /aes256
(AES256_CTS_HMAC_SHA1_96
)
Final usage is between:
/ticket
- optional - file name used to write ticket(s) on the disk - default is: tgt.kirbi
/ptt
- optional - Pass The Ticket
: no ticket will be written, first good ticket is injected in LSA
(NT6 is needed)If not provided, these arguments can be recovered remotely by RPC/CLDAP, in this case: /password
is mandatory and /key
is not permitted.
/sid
- optional - the domainβs SID (ex: S-1-5-21-1644491937-412668190-839522115
)/rid
- optional - the userβs relative ID (ex: 1105
)/kdc
- optional - the DC you want to use for all queries (ex: dc.lab.local
), if not provided, the program will select one automatically, then:
%dcshortname%.%filename%.kirbi
Pass The Ticket
: inject the first successful ticket in LSA
then break the loop/groups
- optional - relatives id of groups which the user will belong (first is primary group, comma separator) - default is: 513,512,520,518,519
for the well-known Administratorβs groups./sids
- optional - externals SID (externals to the domain) to add.
S-1-5-21-root forest-519
(Enterprise Admins)KDC_ERR_WRONG_REALM (68)
: bad domain nameKDC_ERR_PREAUTH_FAILED (24)
: bad password or keyKDC_ERR_ETYPE_NOSUPP (14)
: you try to make AES on 2003 domain functional level (or algorithm is not allowed)KDC_ERR_SUMTYPE_NOSUPP (15)
:
KB3011780
patch or > is installedKRB_ERR_GENERIC (60)
:
KB3011780
patch or > is installedOthers errors:
ERROR stringToKey ; LocacteCSystem: 80080341
: you try to use AES on a NT5 client (RC4 support only), please use a NT6 machine.ERROR [...] ; LsaCallAuthenticationPackage KerbSubmitTicketMessage : c000000d
: you try to make Pass The Ticket
on a NT5 client. Like with mimikatz
, itβs a NT6 only feature.KB3011780
patch or >, are vulnerable (like all Windows 2000)
exploit from ShadowBrokers οΌ
https://github.com/misterch0c/shadowbroker/blob/master/windows/exploits/Eskimoroll-1.1.1.exe