You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md
+59-1Lines changed: 59 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -253,6 +253,61 @@ For detailed info about this attack check:
253
253
4.**Ticket source not already used:** you win the race before the real packet hits or block it entirely; otherwise the server’s replay cache fires Event 4649.
254
254
5. You need to somehow be able to perform a **MitM in the communication** maybe being part of the DNSAmins group to modify the DNS of the domain or being able to change the HOST file of the victim.
Synacktiv documented a **new Kerberos coercion/relay primitive** that bypassed the first SMB reflection mitigations by abusing **inconsistent Unicode normalization** across Windows DNS, Kerberos/SPN lookup, and SMB ticket acceptance.
259
+
260
+
- The attacker needs a way to **register AD-integrated DNS records** and **coerce machine authentication** (`PetitPotam`, DFSCoerce, etc.).
261
+
- The crafted target name must be:
262
+
-**Different enough** from the victim hostname/FQDN that `DnsCache` does **not** treat it as "self", so a DNS query is emitted.
263
+
-**Equivalent enough** during DC-side SPN lookup that the TGS request resolves to the **real machine account SPN**.
264
+
- This was achieved by combining:
265
+
- a **Unicode hostname lookalike** such as replacing `R` in `SRV1` with a Unicode equivalent so `CompareStringW(..., NORM_IGNORECASE)` no longer returns equal on the client side
266
+
-**Unicode dot equivalents** in the FQDN so the DC-side SPN search key still collides with the victim FQDN SPN set
267
+
268
+
Why it works:
269
+
270
+
-`DnsCache` self-name checks use `CompareStringW` with only **`NORM_IGNORECASE`**.
271
+
- SPN lookups in AD ultimately depend on **ESE/NTDS search keys** derived from `LCMapStringEx(..., 0x31403)` (`LCMAP_SORTKEY`, `NORM_IGNORECASE`, `NORM_IGNOREKANATYPE`, `NORM_IGNORENONSPACE`, `NORM_IGNOREWIDTH`, `SORT_STRINGSORT`).
272
+
- Therefore, two strings can be **different for client-side self-comparison** but still **collide during SPN lookup** on the DC.
273
+
- SMB then accepts the relayed AP-REQ as long as the service ticket decrypts under the same machine account key and the local-auth checks are otherwise satisfied.
274
+
275
+
Practical constraints and workflow:
276
+
277
+
1. A pure hostname variant tends to fail because **LDAP/DNS uniqueness checks** can hit the same normalized collision and reject the record as already existing.
278
+
2. The practical workaround is to register a **crafted FQDN** whose DNS label passes uniqueness checks but whose **constructed SPN** still collides with the victim machine SPNs.
279
+
3. Coerce the victim to authenticate to that crafted name, receive the **Kerberos AP-REQ** on the relay box, and relay it to a service on the victim or another service bound to the same machine account.
280
+
4. Some relay tooling may need a **small patch** to stop enforcing strict ASCII/hostname equality on the relayed target name because the ticket `sname` can contain Unicode.
281
+
282
+
Representative chain:
283
+
284
+
```bash
285
+
# 1. Register crafted ADIDNS record pointing to attacker
PetitPotam.py -u user -p 'Passw0rd!''<unicode-fqdn>'<victim-fqdn>
290
+
291
+
# 3. Relay the Kerberos AP-REQ
292
+
krbrelayx.py -t smb://<victim-fqdn> -c whoami
293
+
```
294
+
295
+
Impact and adaptations:
296
+
297
+
-**Pre-October 2025 SMB reflection**: this yielded **authenticated SYSTEM RCE** from a standard domain user by reflecting the victim's Kerberos auth back to its own SMB service.
298
+
-**After CVE-2025-58726**: SMB added a **local-source-IP requirement** for loopback-auth sessions, which killed the remote SMB reflection path.
299
+
-**LPE variant (CVE-2026-26128)**: if you already have code execution on the victim, use a **local forwarder / reverse SOCKS** so the final SMB session originates from a **local address** while still relaying the coerced AP-REQ. This converts the primitive into **SYSTEM local privilege escalation**.
300
+
-**Other protocols still matter**: SMB-specific hardening does **not** kill Kerberos relay as a class. HTTP services without integrity / CBT remain strong targets, notably:
301
+
-**AD CS Web Enrollment** (`http://<ca>/certsrv/certfnsh.asp`) to obtain a machine certificate
302
+
-**SCCM AdminService** to perform privileged SCCM actions
303
+
- likely any service that accepts Kerberos and does **not** enforce signing, EPA, or channel binding
304
+
305
+
Defensive notes:
306
+
307
+
-**Loopback SMB signing** is now the important default mitigation. Newer systems enforce signing for local SMB connections through `HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\RequireSecuritySignatureForLoopback`.
308
+
- Treat **ADIDNS write access** as a relay primitive, not just a DNS issue.
309
+
- For web targets, disable legacy HTTP enrollment when possible and enforce **EPA / CBT / signing** wherever the protocol supports it.
310
+
256
311
### Kerberos Relay Steps
257
312
258
313
- 3.1 **Recon the host**
@@ -351,6 +406,9 @@ You now own **NT AUTHORITY\SYSTEM**.
-[Depth Security – Introducing RelayKing: Relay to Royalty](https://www.depthsecurity.com/blog/introducing-relayking-relay-to-royalty/)
409
+
-[Synacktiv - Bypassing Windows authentication reflection mitigations for SYSTEM shells - Part 2](https://www.synacktiv.com/en/publications/bypassing-windows-authentication-reflection-mitigations-for-system-shells-part.html)
-[Semperis - Exploiting Ghost SPNs and Kerberos Reflection for SMB Server Privilege Elevation](https://www.semperis.com/blog/exploiting-ghost-spns-and-kerberos-reflection-for-smb-server-privilege-elevation/)
0 commit comments