Update spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md

Author: carlospolop

src/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md

@@ -292,22 +292,6 @@ PetitPotam.py -u user -p 'Passw0rd!' '<unicode-fqdn>' <victim-fqdn>
 krbrelayx.py -t smb://<victim-fqdn> -c whoami
 ```
 
-Impact and adaptations:
-
-- **Pre-October 2025 SMB reflection**: this yielded **authenticated SYSTEM RCE** from a standard domain user by reflecting the victim's Kerberos auth back to its own SMB service.
-- **After CVE-2025-58726**: SMB added a **local-source-IP requirement** for loopback-auth sessions, which killed the remote SMB reflection path.
-- **LPE variant (CVE-2026-26128)**: if you already have code execution on the victim, use a **local forwarder / reverse SOCKS** so the final SMB session originates from a **local address** while still relaying the coerced AP-REQ. This converts the primitive into **SYSTEM local privilege escalation**.
-- **Other protocols still matter**: SMB-specific hardening does **not** kill Kerberos relay as a class. HTTP services without integrity / CBT remain strong targets, notably:
-  - **AD CS Web Enrollment** (`http://<ca>/certsrv/certfnsh.asp`) to obtain a machine certificate
-  - **SCCM AdminService** to perform privileged SCCM actions
-  - likely any service that accepts Kerberos and does **not** enforce signing, EPA, or channel binding
-
-Defensive notes:
-
-- **Loopback SMB signing** is now the important default mitigation. Newer systems enforce signing for local SMB connections through `HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\RequireSecuritySignatureForLoopback`.
-- Treat **ADIDNS write access** as a relay primitive, not just a DNS issue.
-- For web targets, disable legacy HTTP enrollment when possible and enforce **EPA / CBT / signing** wherever the protocol supports it.
-
 ### Kerberos Relay Steps
 
 - 3.1 **Recon the host**