search
GitHubTwitterExegolTools

MS14-068

CVE-2014-6324

hashtag
Theory

This vulnerability allows attackers to forge a TGT with high privileges (i.e. with a modified PAC stating the user is a member of privileged groups). This attack is similar to the Golden ticket, however, it doesn't require the attacker to know the krbtgt. This attack is a really powerful privilege escalation technique, however, it relies on a 2014 bug and will not work on patched domain controllers.

This vulnerability is possible due to a misvalidation of the PAC signature, allowing to craft a PAC granting powerful rights to a user while still being legitimate in the eyes of the KDC(Key Distribution Center). Contrary to what Microsoft doc states herearrow-up-right, there are more than three SignatureTypes accepted by the KDC : before MS14-068 patch, a signature was considered valid by KdcVerifyPacSignature if its size was <= 20 bytes. Therefore, it was possible to sign a PAC with a non-keyed hashing algorithm such as MD5 and have this PAC be considered valid.

circle-info

A non-keyed algorithm is a type of encryption that does not use a key to encrypt or decrypt the data. It uses instead a fixed algorithm, which makes it much less secure than a keyed algorithm. Non-keyed algorithms are usually easier to crack or break because they do not have the added security of a key to protect the data.

The exploitation goes as follow:

  1. A PAC-less TGT is obtained via an AS-REQ with the PA-PAC-REQUEST attribute set to false. This will be used in a later step.

  2. A PAC indicating an account membership to powerful groups in the domain is forged and "signed" with MD5 (or any other non-keyed algorithm listed herearrow-up-right).

  3. A TGS-REQ message, requesting a service ticket targeting the KRBTGT service (i.e. a TGT-like) is sent to the vulnerable KDC, using the forged PAC from step (2) encrypted with a sub-session key (usually the session key) and included in the TGT from step (1).

  4. In response to step (3), a new TGT containing the forged PAC will be received from the vulnerable KDC after its validation of the forged PAC (the vulnerability happens here).

The newly obtained TGT can be use like a golden ticket, with pass-the-ticket, to perform privileged various actions.

hashtag
Practice

circle-info

Referring to kekeoarrow-up-right's wiki might help untangle some situations but errors like KDC_ERR_SUMTYPE_NOSUPP (15) or KRB_ERR_GENERIC (60) when trying to use the generated .ccache ticket should mean the target is patched.

PyKEK

This attack can be operated with pykekarrow-up-right's ms14-068arrow-up-right Python script. The script can carry out the attack with a cleartext password or with pass-the-hash.

In order to operate the attack, knowing a domain account’s name, its password (or hash) and its SID are needed.

A TGT can then be obtained with one of the following commands.

# with a plaintext password
ms14-068.py -u 'BASICUSER'@'DOMAIN_FQDN' -p 'PASSWORD' -s 'BASICUSER_SID' -d 'DOMAIN_CONTROLLER'

# with pass-the-hash
ms14-068.py -u 'BASICUSER'@'DOMAIN_FQDN' --rc4 'NThash' -s 'BASICUSER_SID' -d 'DOMAIN_CONTROLLER'

Once the .ccache TGT is obtained, if the attack is successful, the ticket will be usable with pass-the-ticket. An easy way to check if the TGT works is to use it and ask for a service ticket. This can be done with Impacket's getST.pyarrow-up-right (Python).

getST.py -k -no-pass -spn 'any_valid_spn' $DOMAIN_FQDN/$USER

This step will only make sure the TGT works though. It will not indicate for sure that the attack worked. This is because a patched DC could ignore the forged PAC and include a legitimate PAC instead. But the TGT would still be valid. It would simply be "unprivileged". Trying to use the service ticket for a privileged taks, DCSync for instance, is advised.

circle-info

Another way of knowing, for sure, if the target DC is patched or not is to decrypt the ticket obtained with describeTicket.pyarrow-up-right and make sure the PAC features the privileged groups (512, 518, 519, 520). If the privileged groups are missing, it means the DC is patched and the forged PAC was ignored and replaced with a legitimate one. Knowing the krbtgt key is needed, so this would best fit a whitebox audit scenario (or successful pentest).

circle-exclamation

In some scenarios, I personally have had trouble using the .ccache ticket on UNIX-like systems. What I did was convert it to .kirbi, switch to a Windows system, inject the ticket with mimikatz's usingkerberos:pttarrow-up-right command, and then create a new user and add it to the domain admins group.

net user "hacker" "132Pentest!!!" /domain /add
net group "Domain Admins" /domain /add

Impacket (goldenPac.py)

The attack can also be carried out automatically using Impacket's goldenPac.pyarrow-up-right (Python). This tool conducts the attack and tries to open a privileged session using the obtained TGT and PsExec. The TGT can be stored locally with the -w path parameter.

Metasploit Framework

The Metasploit Framework can also be useful in the sense that it prints valuable error information.

hashtag
Resources

LogoDigging into MS14-068, Exploitation and Defencelabs.withsecure.comchevron-right
MS14-068[“Hacking Wiki”]chevron-right
MS14-068: Vulnerability in (Active Directory) Kerberos Could Allow Elevation of PrivilegeActive Directory & Azure AD/Entra ID Securitychevron-right
Kerberos Vulnerability in MS14-068 (KB3011780) ExplainedActive Directory & Azure AD/Entra ID Securitychevron-right
https://www.beyondtrust.com/blog/entry/a-quick-look-at-ms14-068www.beyondtrust.comchevron-right
Logoms14068GitHubchevron-right
circle-info

Parts of this page were written with the help of the ChatGPTarrow-up-right AI model.

PreviousRODC Golden ticketsNextASREQroast

Last updated

Was this helpful?