KrbRelayEx is a tool designed for performing Man-in-the-Middle (MitM) attacks by relaying Kerberos AP-REQ tickets. It listens for incoming SMB connections and forwards the AP-REQ to the target host, enabling access to SMB shares or HTTP ADCS (Active Directory Certificate Services) endpoints on behalf of the targeted identity
Any misuse of this tool for unauthorized or malicious activities is strictly prohibited and beyond my responsibility as the creator. By using this tool, you agree to comply with all applicable laws and regulations.
Building upon the concept, I started from the great KrbRelay framework and developed this tool in .NET 8.0 to ensure compatibility across both Windows and GNU/Linux platforms.
ТЫЦ
Disclaimer
This tool is intended exclusively for legitimate testing and assessment purposes, such as penetration testing or security research, with proper authorization.Any misuse of this tool for unauthorized or malicious activities is strictly prohibited and beyond my responsibility as the creator. By using this tool, you agree to comply with all applicable laws and regulations.
Why This Tool?
I created this tool to explore the potential misuse of privileges granted to the DnsAdmins group in Active Directory, focusing on their ability to modify DNS records. Members of this group are considered privileged users because they can make changes that impact how computers and services are located within a network. However, despite this level of access, there has been relatively little documentation (apart from CVE-2021-40469) explaining how these privileges might be exploited in practice.Beyond DnsAdmins
Manipulating DNS entries isn’t exclusive to the DnsAdmins group. Other scenarios can also enable such attacks, such as:- DNS zones with insecure updates enabled
- Controlling HOSTS file entries on client machines
Tool Goals
The goal of this tool was to test whether a Man-in-the-Middle (MitM) attack could be executed by exploiting DNS spoofing, traffic forwarding, and Kerberos relaying. This is particularly relevant because Kerberos authentication is commonly used when a resource is accessed via its hostname or fully qualified domain name (FQDN), making it a cornerstone of many corporate networks.Building upon the concept, I started from the great KrbRelay framework and developed this tool in .NET 8.0 to ensure compatibility across both Windows and GNU/Linux platforms.
Features
- Relay Kerberos AP-REQ tickets to access SMB shares or HTTP ADCS endpoints.
- Interactive or background multithreaded SMB consoles for managing multiple connections, enabling file manipulation and the creation/startup of services.
- Multithreaded port forwarding to forward additional traffic from clients to original destination such as RDP, HTTP(S), RPC Mapper, WinRM,...
- Transparent relaying process for seamless user access.
- Cross-platform compatibility with Windows and GNU/Linux via .NET 8.0 SDK.
Notes
- Relay and Forwarding Modes:
KrbRelayEx intercepts and relays the first authentication attempt, then switches to forwarder mode for all subsequent incoming requests. You can press r anytime to restart relay mode. - Scenarios for Exploitation:
- Being a member of the DnsAdmins group.
- Configuring DNS zones with Insecure Updates: This misconfiguration allows anonymous users with network access to perform DNS Updates and potentially take over the domain!
- Abusing HOSTS files for hostname spoofing: By modifying HOSTS file entries on client machines, attackers can redirect hostname or FQDN-based traffic to an arbitrary IP address.
- Background Consoles:
These are ideal for managing multiple SMB consoles simultaneously.
ТЫЦ