MS14-068
CVE-2014-6324
Theory
This vulnerability allows attackers to forge a TGT with high privileges (i.e. with a modified PAC stating the user is a member of privileged groups). This attack is similar to the Golden ticket, however, it doesn't require the attacker to know the krbtgt
. This attack is a really powerful privilege escalation technique, however, it relies on a 2014 bug and will not work on patched domain controllers.
This vulnerability is possible due to a misvalidation of the PAC signature, allowing to craft a PAC granting powerful rights to a user while still being legitimate in the eyes of the KDC(Key Distribution Center). Contrary to what Microsoft doc states here, there are more than three SignatureTypes
accepted by the KDC : before MS14-068 patch, a signature was considered valid by KdcVerifyPacSignature
if its size was <= 20 bytes. Therefore, it was possible to sign a PAC with a non-keyed hashing algorithm such as MD5 and have this PAC be considered valid.
A non-keyed algorithm is a type of encryption that does not use a key to encrypt or decrypt the data. It uses instead a fixed algorithm, which makes it much less secure than a keyed algorithm. Non-keyed algorithms are usually easier to crack or break because they do not have the added security of a key to protect the data.
The exploitation goes as follow:
A PAC-less TGT is obtained via an AS-REQ with the
PA-PAC-REQUEST
attribute set to false. This will be used in a later step.A PAC indicating an account membership to powerful groups in the domain is forged and "signed" with MD5 (or any other non-keyed algorithm listed here).
A TGS-REQ message, requesting a service ticket targeting the KRBTGT service (i.e. a TGT-like) is sent to the vulnerable KDC, using the forged PAC from step (2) encrypted with a sub-session key (usually the session key) and included in the TGT from step (1).
In response to step (3), a new TGT containing the forged PAC will be received from the vulnerable KDC after its validation of the forged PAC (the vulnerability happens here).
The newly obtained TGT can be use like a golden ticket, with pass-the-ticket, to perform privileged various actions.
Practice
Referring to kekeo's wiki might help untangle some situations but errors like KDC_ERR_SUMTYPE_NOSUPP (15)
or KRB_ERR_GENERIC (60)
when trying to use the generated .ccache
ticket should mean the target is patched.
PyKEK
This attack can be operated with pykek's ms14-068 Python script. The script can carry out the attack with a cleartext password or with pass-the-hash.
In order to operate the attack, knowing a domain account’s name, its password (or hash) and its SID are needed.
A TGT can then be obtained with one of the following commands.
Once the .ccache
TGT is obtained, if the attack is successful, the ticket will be usable with [pass-the-ticket](. An easy way to check if the TGT works is to use it and ask for a service ticket. This can be done with Impacket's getST.py (Python).
This step will only make sure the TGT works though. It will not indicate for sure that the attack worked. This is because a patched DC could ignore the forged PAC and include a legitimate PAC instead. But the TGT would still be valid. It would simply be "unprivileged". Trying to use the service ticket for a privileged taks, DCSync for instance, is advised.
Another way of knowing, for sure, if the target DC is patched or not is to decrypt the ticket obtained with describeTicket.py and make sure the PAC features the privileged groups (512, 518, 519, 520). If the privileged groups are missing, it means the DC is patched and the forged PAC was ignored and replaced with a legitimate one. Knowing the krbtgt key is needed, so this would best fit a whitebox audit scenario (or successful pentest).
In some scenarios, I personally have had trouble using the .ccache
ticket on UNIX-like systems. What I did was convert it to .kirbi
, switch to a Windows system, inject the ticket with mimikatz's usingkerberos:ptt
command, and then create a new user and add it to the domain admins group.
Impacket (goldenPac.py)
The attack can also be carried out automatically using Impacket's goldenPac.py (Python). This tool conducts the attack and tries to open a privileged session using the obtained TGT and PsExec. The TGT can be stored locally with the -w path
parameter.
Metasploit Framework
The Metasploit Framework can also be useful in the sense that it prints valuable error information.
Resources
Parts of this page were written with the help of the ChatGPT AI model.
Last updated