MS14-068

CVE-2014-6324

Theory

This vulnerability allows attackers to forge a TGT with high privileges (i.e. with a modified PAC stating the user is a member of privileged groups). This attack is similar to the , however, it doesn't require the attacker to know the krbtgt. This attack is a really powerful privilege escalation technique, however, it relies on a 2014 bug and will not work on patched domain controllers.

This vulnerability is possible due to a misvalidation of the PAC signature, allowing to craft a PAC granting powerful rights to a user while still being legitimate in the eyes of the KDC(Key Distribution Center). Contrary to what Microsoft doc states , there are more than three SignatureTypes accepted by the KDC : before MS14-068 patch, a signature was considered valid by KdcVerifyPacSignature if its size was <= 20 bytes. Therefore, it was possible to sign a PAC with a non-keyed hashing algorithm such as MD5 and have this PAC be considered valid.

A non-keyed algorithm is a type of encryption that does not use a key to encrypt or decrypt the data. It uses instead a fixed algorithm, which makes it much less secure than a keyed algorithm. Non-keyed algorithms are usually easier to crack or break because they do not have the added security of a key to protect the data.

The exploitation goes as follow:

A PAC-less TGT is obtained via an AS-REQ with the PA-PAC-REQUEST attribute set to false. This will be used in a later step.
A PAC indicating an account membership to powerful groups in the domain is forged and "signed" with MD5 (or any other non-keyed algorithm listed ).
A TGS-REQ message, requesting a service ticket targeting the KRBTGT service (i.e. a TGT-like) is sent to the vulnerable KDC, using the forged PAC from step (2) encrypted with a sub-session key (usually the session key) and included in the TGT from step (1).
In response to step (3), a new TGT containing the forged PAC will be received from the vulnerable KDC after its validation of the forged PAC (the vulnerability happens here).

The newly obtained TGT can be use like a , with pass-the-ticket, to perform privileged various actions.

Practice

Referring to 's wiki might help untangle some situations but errors like KDC_ERR_SUMTYPE_NOSUPP (15) or KRB_ERR_GENERIC (60) when trying to use the generated .ccache ticket should mean the target is patched.

PyKEK

This attack can be operated with 's Python script. The script can carry out the attack with a cleartext password or with pass-the-hash.

In order to operate the attack, knowing a domain account’s name, its password (or hash) and its SID are needed.

A TGT can then be obtained with one of the following commands.

# with a plaintext password
ms14-068.py -u 'BASICUSER'@'DOMAIN_FQDN' -p 'PASSWORD' -s 'BASICUSER_SID' -d 'DOMAIN_CONTROLLER'

# with pass-the-hash
ms14-068.py -u 'BASICUSER'@'DOMAIN_FQDN' --rc4 'NThash' -s 'BASICUSER_SID' -d 'DOMAIN_CONTROLLER'

Once the .ccache TGT is obtained, if the attack is successful, the ticket will be usable with [pass-the-ticket](. An easy way to check if the TGT works is to use it and ask for a service ticket. This can be done with Impacket's (Python).

getST.py -k -no-pass -spn 'any_valid_spn' $DOMAIN_FQDN/$USER

This step will only make sure the TGT works though. It will not indicate for sure that the attack worked. This is because a patched DC could ignore the forged PAC and include a legitimate PAC instead. But the TGT would still be valid. It would simply be "unprivileged". Trying to use the service ticket for a privileged taks, for instance, is advised.

Another way of knowing, for sure, if the target DC is patched or not is to decrypt the ticket obtained with and make sure the PAC features the privileged groups (512, 518, 519, 520). If the privileged groups are missing, it means the DC is patched and the forged PAC was ignored and replaced with a legitimate one. Knowing the krbtgt key is needed, so this would best fit a whitebox audit scenario (or successful pentest).

In some scenarios, I personally have had trouble using the .ccache ticket on UNIX-like systems. What I did was convert it to .kirbi, switch to a Windows system, inject the ticket with mimikatz's using command, and then create a new user and add it to the domain admins group.

net user "hacker" "132Pentest!!!" /domain /add
net group "Domain Admins" /domain /add

Impacket (goldenPac.py)

goldenPac.py $DOMAIN_FQDN/$USER:$PASSWORD@$DC_FQDN -dc-ip $DC_IP

Metasploit Framework

The Metasploit Framework can also be useful in the sense that it prints valuable error information.

msf6 > use admin/kerberos/ms14_068_kerberos_checksum

Kekeo

# NB : ms14068.exe can act in two ways
# /ticket : Write the obtained ticket on disk with default name tgt.kirbi
# /ptt : Pass-the-ticket by directly injecting the obtained TGT into LSA

# with password
# domain SID and user RID are automaticaly discovered
ms14068.exe /domain:$domain /user:$user /password:$password /kdc:$VULN_KDC_FQDN

# with an NT hash
# AES-128 and AES-256 keys are also usable with /aes128 and /aes256 respectively
# note that automatic discovery of the user SID is not possible when using hash 
ms14068.exe /domain:$domain /user:$user /key:$krbtgt_NThash /sid:$DomainSID /rid:$userRelativeID /kdc:$KDC_FQDN

Resources

Last updated 1 year ago

Was this helpful?