Menu

Search for hundreds of thousands of exploits

"Microsoft Windows - Kerberos Security Feature Bypass (MS16-014)"

Author

Exploit author

"Nabeel Ahmed"

Platform

Exploit platform

windows

Release date

Exploit published date

2016-02-15

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# Exploit Title: Windows Kerberos Security Feature Bypass
# Date: 12-02-2016
# Exploit Author: Nabeel Ahmed
# Tested on: Windows 7 Professional (x32/x64)
# CVE : CVE-2016-0049
# Category: Local Exploit

1) Prerequisites:

		- Standard Windows 7 Fully patched and member of an existing domain.
		- BitLocker enabled without PIN or USB key.
		- Password Caching enabled
		- Victim has cached credentials stored on the system from previous logon.

2) Reproduce:
		STEP 1: Obtain physical access to a desktop or laptop with the above configuration.
		STEP 2: Boot system and determine FQDN of the device. (example. CLIENT.domain.local), this can be obtained by monitoring the network broadcast communication, which the system sends prior to loggin in. The username can be extracted from the loginscreen (E.g USER1)
		STEP 3: Create Active Directory for the domain you obtained in STEP 2 (domain.local).
		STEP 4: Create User with similar name as the previously logged in user. (E.g domain\USER1), and force user to change password upon next login.
		STEP 5: Create Computer Object in Active Directory with the same name as the target system. (E.g CLIENT)
		STEP 6: Use ADSI Edit and change the attribute ServicePrincipleName of the Computer Object you created in STEP 5, Add the FQDN as following (HOST/CLIENT.domain.local).
		STEP 7: Establish network connection between the target system and the newly created Domain Controller.
		STEP 8: Login with the password defined in STEP 4.
		STEP 9: Target system displays change password screen, set new password and confirm.
		STEP 10: Message "Your Password has been changed" is displayed, followed by the following error message "The trust relationship between this workstation and the primary domain failed."
		STEP 11: Disconnect Target system's network connection.
		STEP 12: Login with the new changed password.

3) Impact: 
		Access gained to the information stored to the FDE target system without previous knowledge of password or any other information.

4) Solution:
		Install the latest patches from 09-02-2016 using Windows Update.
		
5) References:
		https://technet.microsoft.com/en-us/library/security/ms16-014.aspx
		https://support.microsoft.com/en-us/kb/3134228
		
6) Credits:
		Vulnerability discovered by Nabeel Ahmed (https://twitter.com/NabeelAhmedBE) and Tom Gilis (https://twitter.com/tgilis) of Dimension Data (https://www.dimensiondata.com)
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2019-04-09 "Microsoft Windows - AppX Deployment Service Privilege Escalation" local windows "Nabeel Ahmed"
2018-03-28 "Microsoft Windows Remote Assistance - XML External Entity Injection" webapps windows "Nabeel Ahmed"
2018-02-27 "Microsoft Windows 8.1/2012 R2 - SMBv3 Null Pointer Dereference Denial of Service" dos windows "Nabeel Ahmed"
2016-09-22 "Microsoft Windows Kerberos - Security Feature Bypass (MS16-101)" local windows "Nabeel Ahmed"
2016-08-08 "Microsoft Windows 7 (x86/x64) - Group Policy Privilege Escalation (MS16-072)" local windows "Nabeel Ahmed"
2016-02-15 "Microsoft Windows - Kerberos Security Feature Bypass (MS16-014)" local windows "Nabeel Ahmed" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected