You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+8-4Lines changed: 8 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,6 +5,10 @@ Kerberos Relay and Forwarder for (Fake) SMB MiTM Server
5
5
---
6
6
KrbRelayEx is a tool designed for performing Man-in-the-Middle (MitM) attacks by relaying Kerberos AP-REQ tickets. It listens for incoming SMB connections and forwards the AP-REQ to the target host, enabling access to SMB shares or HTTP ADCS (Active Directory Certificate Services) endpoints on behalf of the targeted identity.
7
7
8
+
## Disclaimer
9
+
10
+
**This tool is intended exclusively for legitimate testing and assessment purposes, such as penetration testing or security research, with proper authorization.**
11
+
Any misuse of this tool for unauthorized or malicious activities is strictly prohibited and beyond my responsibility as the creator. By using this tool, you agree to comply with all applicable laws and regulations.
8
12
## Why This Tool?
9
13
10
14
I created this tool to explore the potential misuse of privileges granted to the `DnsAdmins` group in Active Directory, focusing on their ability to modify DNS records. Members of this group are considered privileged users because they can make changes that impact how computers and services are located within a network. However, despite this level of access, there has been relatively little documentation (apart from CVE-2021-40469) explaining how these privileges might be exploited in practice.
@@ -26,7 +30,7 @@ Building upon the concept, I started from [KrbRelay](https://github.com/cube0x0/
26
30
27
31
- Relay Kerberos AP-REQ tickets to access SMB shares or HTTP ADCS endpoints.
28
32
- Interactive or background **multithreaded SMB consoles** for managing multiple connections, enabling file manipulation and the creation/startup of services.
29
-
-**Multithreaded port forwarding** to forward additional trafficfrom clients to original destination such as RDP, HTTP(S), RPC Mapper, WinRM,...
33
+
-**Multithreaded port forwarding** to forward additional traffic from clients to original destination such as RDP, HTTP(S), RPC Mapper, WinRM,...
30
34
- Transparent relaying process for **seamless user access**.
31
35
- Cross-platform compatibility with Windows and GNU/Linux via .NET 8.0 SDK.
32
36
@@ -86,8 +90,8 @@ Options:
86
90
# Examples
87
91
SMB Relay:
88
92
==========
89
-
The user19 account is a member of the DNSAdmins group in the MYLAB.LOCAL domain and modifies the A record for SRV2-MYLAB. The IP 192.168.212.11 is our attacker machine.
90
-
In this case, we use the dnstool.py script from from https://github.com/dirkjanm/krbrelayx<br><br>
93
+
The *user19* account is a member of the DnsAdmins group in the MYLAB.LOCAL domain. As a member he can modify the A record for SRV2-MYLAB and change the IP 192.168.212.11 which is our attacker machine.
94
+
Thee *dnstool.py* script from from https://github.com/dirkjanm/krbrelayx can be used for this purpose:<br><br>
On the attacker machine, we launch the relay/forwarder tool. SMB consoles will be launched in the background, starting from port 10000, and we will forward all traffic for WinRM, RPC Mapper, and Remote Desktop:<br><br>
@@ -114,7 +118,7 @@ From here, we can:
114
118
115
119
HTTP(s) ADCSRelay:
116
120
==================
117
-
In this case the Zone MYLAB.LOCAL has been configured with Unsecure Update. Anonymous users with network access can modify DNS records!!<br><br>
121
+
In this case the Zone MYLAB.LOCAL has been configured with *Unsecure Updates*. Anonymous users with network access can modify DNS records!!<br><br>
0 commit comments