ESKIMOROLL-ms14-068 Windows vulnerability in the Key Distribution Center (KDC) service (CVE-2014-6324)

### Description `MS14-068` is a Windows vulnerability in the Key Distribution Center (KDC) service. It allows an authenticated user to insert an arbitrary PAC (a structure that represent all user rights) in its Kerberos ticket (the TGT). > https://technet.microsoft.com/library/security/ms14-068.aspx In Windows domains, it permits privilege escalation (usually `standard user` to `domain/enterprise admin`) ### Technical The vulnerability is in the Key Distribution Center (KDC - `kdcsvc.dll`) of domain controllers. An user can obtain tickets by presenting a Kerberos TGT with an altered PAC. Normally the KDC service detects a PAC alteration by verifying its signature (each KDC knows the secret symmetric key to check it) **The vulnerability:** KDC service allows algorithms without keys (like `MD4`, `MD5`, `SHA1` or `CRC32`) to be used. It means that any user can forge a PAC without knowing any secret key, and ask the KDC to include it in a ticket. #### Workflow 1. (AS-REQ) User authenticates to a KDC, asking a TGT without a PAC. 2. (PAC TIME) User creates a PAC with arbitrary data and seal it with an algorithm without keys (here, `MD5`). 3. (TGS-REQ) From its TGT, user asks a TGS for service `krbtgt` (TGT-like) with its fake PAC included. 4. (TGS-REQ) From its TGS, user asks another TGS for service `krbtgt` (TGT-like) - _if vulnerable, fake PAC will be really signed by KDC here!_ 5. (KRB-CRED) From the final TGS, ticket is converted as KRB-CRED structure (to be saved on disk or injected in `LSA`) Step 4. seems to be optional, but is necessary to use a TGT with a PAC well signed with a domain controller not vulnerable (load balancing). ## Arguments #### Standard * `/domain` - the fully qualified domain name of the target (ex: `lab.local`) * `/user` - the username you want to use as authenticated user (any account allowed to logon is OK, ex: `utilisateur`) Then you can choose between: * `/password` - the password of the user's account * `/key` - the derived key of the user's account, it can be `RC4_HMAC_NT` (`NTLM`), `AES128_CTS_HMAC_SHA1_96` or `AES256_CTS_HMAC_SHA1_96` By default, `/key` and `/password` will be used with `RC4_HMAC_NT` algorithm, but you can specify `/aes128` (`AES128_CTS_HMAC_SHA1_96`) or `/aes256` (`AES256_CTS_HMAC_SHA1_96`) Final usage is between: * `/ticket` - _optional_ - file name used to write ticket(s) on the disk - default is: `tgt.kirbi` * `/ptt` - _optional_ - `Pass The Ticket`: no ticket will be written, first good ticket is injected in `LSA` (NT6 is needed) #### Automatically recovered If not provided, these arguments can be recovered remotely by RPC/CLDAP, in this case: `/password` is mandatory and `/key` is not permitted. * `/sid` - _optional_ - the **domain**'s SID (ex: `S-1-5-21-1644491937-412668190-839522115`) * `/rid` - _optional_ - the **user**'s relative ID (ex: `1105`) * `/kdc` - _optional_ - the DC you want to use for all queries (ex: `dc.lab.local`), if not provided, the program will select one automatically, then: * test *all* KDC in the domain * when saving ticket in file: save each successful tickets in separate files, named like `%dcshortname%.%filename%.kirbi` * when `Pass The Ticket`: inject the first successful ticket in `LSA` then break the loop * print a little repport at the end with the number of vulnerable servers vs the total. #### Tuning * `/groups` - _optional_ - relatives id of groups which the user will belong (first is primary group, comma separator) - default is: `513,512,520,518,519` for the well-known Administrator's groups. * `/sids` - _optional_ - externals SID (externals to the domain) to add. * an interesting SID is `S-1-5-21-root forest-519` (Enterprise Admins) # Errors * `KDC_ERR_WRONG_REALM (68)`: bad domain name * `KDC_ERR_PREAUTH_FAILED (24)`: bad password or key * `KDC_ERR_ETYPE_NOSUPP (14)`: you try to make AES on 2003 domain functional level (or algorithm is not allowed) * `KDC_ERR_SUMTYPE_NOSUPP (15)`: * NT6 target: `KB3011780` patch or > is installed * `KRB_ERR_GENERIC (60)`: * NT5 target: `KB3011780` patch or > is installed * NT6 target: 2012 server or > is not vulnerable to this program Others errors: * `ERROR stringToKey ; LocacteCSystem: 80080341`: you try to use AES on a NT5 client (RC4 support only), please use a NT6 machine. * `ERROR [...] ; LsaCallAuthenticationPackage KerbSubmitTicketMessage : c000000d`: you try to make `Pass The Ticket` on a NT5 client. Like with `mimikatz`, it’s a NT6 only feature. ### Remarks * All DC without `KB3011780` patch or >, are vulnerable (like all Windows 2000)