Merge pull request #2187 from HackTricks-wiki/update_Bypassing_Windows_authentication_reflection_mitiga_20260430_135616

carlospolop · web-flow · commit 2c5c6662573f · 2026-05-06T18:48:16.000+02:00
Bypassing Windows authentication reflection mitigations for ...
diff --git a/src/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md b/src/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md
@@ -253,6 +253,45 @@ For detailed info about this attack check:
 4. **Ticket source not already used:** you win the race before the real packet hits or block it entirely; otherwise the server’s replay cache fires Event 4649.
 5. You need to somehow be able to perform a **MitM in the communication** maybe being part of the DNSAmins group to modify the DNS of the domain or being able to change the HOST file of the victim.
 
+### Unicode-normalization Kerberos reflection (2025-2026)
+
+Synacktiv documented a **new Kerberos coercion/relay primitive** that bypassed the first SMB reflection mitigations by abusing **inconsistent Unicode normalization** across Windows DNS, Kerberos/SPN lookup, and SMB ticket acceptance.
+
+- The attacker needs a way to **register AD-integrated DNS records** and **coerce machine authentication** (`PetitPotam`, DFSCoerce, etc.).
+- The crafted target name must be:
+  - **Different enough** from the victim hostname/FQDN that `DnsCache` does **not** treat it as "self", so a DNS query is emitted.
+  - **Equivalent enough** during DC-side SPN lookup that the TGS request resolves to the **real machine account SPN**.
+- This was achieved by combining:
+  - a **Unicode hostname lookalike** such as replacing `R` in `SRV1` with a Unicode equivalent so `CompareStringW(..., NORM_IGNORECASE)` no longer returns equal on the client side
+  - **Unicode dot equivalents** in the FQDN so the DC-side SPN search key still collides with the victim FQDN SPN set
+
+Why it works:
+
+- `DnsCache` self-name checks use `CompareStringW` with only **`NORM_IGNORECASE`**.
+- SPN lookups in AD ultimately depend on **ESE/NTDS search keys** derived from `LCMapStringEx(..., 0x31403)` (`LCMAP_SORTKEY`, `NORM_IGNORECASE`, `NORM_IGNOREKANATYPE`, `NORM_IGNORENONSPACE`, `NORM_IGNOREWIDTH`, `SORT_STRINGSORT`).
+- Therefore, two strings can be **different for client-side self-comparison** but still **collide during SPN lookup** on the DC.
+- SMB then accepts the relayed AP-REQ as long as the service ticket decrypts under the same machine account key and the local-auth checks are otherwise satisfied.
+
+Practical constraints and workflow:
+
+1. A pure hostname variant tends to fail because **LDAP/DNS uniqueness checks** can hit the same normalized collision and reject the record as already existing.
+2. The practical workaround is to register a **crafted FQDN** whose DNS label passes uniqueness checks but whose **constructed SPN** still collides with the victim machine SPNs.
+3. Coerce the victim to authenticate to that crafted name, receive the **Kerberos AP-REQ** on the relay box, and relay it to a service on the victim or another service bound to the same machine account.
+4. Some relay tooling may need a **small patch** to stop enforcing strict ASCII/hostname equality on the relayed target name because the ticket `sname` can contain Unicode.
+
+Representative chain:
+
+```bash
+# 1. Register crafted ADIDNS record pointing to attacker
+dnstool.py -u 'DOMAIN\\user' -p 'Passw0rd!' -r '<unicode-fqdn>' -d <attacker-ip> <dc>
+
+# 2. Coerce machine auth to the crafted name
+PetitPotam.py -u user -p 'Passw0rd!' '<unicode-fqdn>' <victim-fqdn>
+
+# 3. Relay the Kerberos AP-REQ
+krbrelayx.py -t smb://<victim-fqdn> -c whoami
+```
+
 ### Kerberos Relay Steps
 
 - 3.1 **Recon the host**
@@ -351,6 +390,9 @@ You now own **NT AUTHORITY\SYSTEM**.
 - [Microsoft – WSUS deprecation announcement](https://techcommunity.microsoft.com/blog/windows-itpro-blog/windows-server-update-services-wsus-deprecation/4250436)
 - [RelayKing v1.0](https://github.com/depthsecurity/RelayKing-Depth)
 - [Depth Security – Introducing RelayKing: Relay to Royalty](https://www.depthsecurity.com/blog/introducing-relayking-relay-to-royalty/)
+- [Synacktiv - Bypassing Windows authentication reflection mitigations for SYSTEM shells - Part 2](https://www.synacktiv.com/en/publications/bypassing-windows-authentication-reflection-mitigations-for-system-shells-part.html)
+- [Microsoft Learn - LCMapStringEx function](https://learn.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-lcmapstringex)
+- [Microsoft Learn - CompareStringW function](https://learn.microsoft.com/en-us/windows/win32/api/stringapiset/nf-stringapiset-comparestringw)
+- [Semperis - Exploiting Ghost SPNs and Kerberos Reflection for SMB Server Privilege Elevation](https://www.semperis.com/blog/exploiting-ghost-spns-and-kerberos-reflection-for-smb-server-privilege-elevation/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
