Convert Figma logo to code with AI

dirkjanm logokrbrelayx

Kerberos unconstrained delegation abuse toolkit

1,103
164
1,103
2
View on GitHub

Top Related Projects

ropnop's avatar

kerbrute

2,569

A tool to perform Kerberos pre-auth bruteforcing

fortra's avatar

impacket

13,272

Impacket is a collection of Python classes for working with network protocols.

GhostPack's avatar

Rubeus

4,029

Trying to tame the three-headed dog.

dirkjanm's avatar

BloodHound.py

1,890

A Python based ingestor for BloodHound

Quick Overview

krbrelayx is a toolkit for abusing Kerberos relay attacks in Windows environments. It includes tools for capturing and relaying Kerberos authentication, as well as exploiting various Kerberos-related vulnerabilities. The project is designed for penetration testers and security researchers to assess and demonstrate the risks associated with Kerberos relay attacks.

Pros

  • Provides a comprehensive set of tools for Kerberos relay attacks
  • Supports multiple attack vectors and exploitation techniques
  • Actively maintained and updated with new features and bug fixes
  • Includes detailed documentation and usage examples

Cons

  • Can be potentially misused for malicious purposes
  • Requires a good understanding of Kerberos and Windows authentication
  • May trigger security alerts in monitored environments
  • Some features may become obsolete as Microsoft patches vulnerabilities

Code Examples

# Example 1: Capturing Kerberos tickets with krbrelayx
from krbrelayx import KrbRelayX

relay = KrbRelayX(target='DC01.contoso.com')
relay.start_server()

# Example 2: Relaying captured tickets to a target service
from krbrelayx import KrbRelayX

relay = KrbRelayX(target='DC01.contoso.com', target_service='cifs/FileServer.contoso.com')
relay.relay_tickets()

# Example 3: Exploiting MS14-068 vulnerability
from krbrelayx import MS14_068

exploit = MS14_068(domain='contoso.com', user='jdoe', password='Password123!')
exploit.generate_golden_ticket()

Getting Started

To get started with krbrelayx:

  1. Clone the repository:

    git clone https://github.com/dirkjanm/krbrelayx.git

  2. Install dependencies:

    pip install -r requirements.txt

  3. Run the desired tool with appropriate arguments:

    python krbrelayx.py --target DC01.contoso.com --targetservice cifs/FileServer.contoso.com

For detailed usage instructions and examples, refer to the project's README and documentation.

Competitor Comparisons

ropnop logo

kerbrute

2,569

A tool to perform Kerberos pre-auth bruteforcing

Pros of Kerbrute

  • Written in Go, offering cross-platform compatibility and easy deployment
  • Focuses specifically on Kerberos pre-authentication attacks and user enumeration
  • Provides a simple, user-friendly command-line interface

Cons of Kerbrute

  • Limited functionality compared to KrbRelayX, focusing primarily on brute-forcing and enumeration
  • Lacks advanced features like relay attacks and NTLM downgrade capabilities

Code Comparison

Kerbrute (Go):

func (k *Kerbrute) TestUsername(username string) (bool, error) {
    req, err := messages.NewASReqForTGT(k.realm, k.kdcAddress, messages.NewKrbPrincipal(username))
    if err != nil {
        return false, err
    }
    _, err = k.sendKrb(req)
    return err == nil, nil
}

KrbRelayX (Python):

def do_attack(self):
    self.client.exchange()
    self.client.sessionKey = self.attackers_ticket['sessionkey']
    self.client.username = self.attackers_user
    self.client.send_and_recv()

Both repositories focus on Kerberos-related attacks, but Kerbrute specializes in brute-forcing and user enumeration, while KrbRelayX offers a broader range of attack vectors, including relay attacks. Kerbrute's Go implementation provides better cross-platform support, while KrbRelayX's Python codebase offers more flexibility for advanced users and researchers.

fortra logo

impacket

13,272

Impacket is a collection of Python classes for working with network protocols.

Pros of Impacket

  • Comprehensive suite of tools for network protocols
  • Extensive documentation and active community support
  • Broader scope, covering multiple protocols beyond Kerberos

Cons of Impacket

  • Larger codebase, potentially more complex to navigate
  • May require more setup and dependencies
  • Less specialized for Kerberos-specific attacks

Code Comparison

Impacket (SMB connection example):

from impacket.smbconnection import SMBConnection

conn = SMBConnection(target, target)
conn.login(username, password)

Krbrelayx (Kerberos relay example):

from krbrelayx import KerberosRelayAttack

relay = KerberosRelayAttack(target)
relay.run()

Key Differences

  • Impacket provides a more general-purpose toolkit for network protocols
  • Krbrelayx focuses specifically on Kerberos relay attacks
  • Impacket offers more extensive documentation and examples
  • Krbrelayx is more lightweight and specialized for its specific use case

Use Cases

  • Impacket: Ideal for penetration testers and security researchers working with various network protocols
  • Krbrelayx: Best suited for those focusing on Kerberos-specific attacks and relaying

Community and Support

  • Impacket: Larger community, more frequent updates, and extensive third-party resources
  • Krbrelayx: Smaller, more focused community, with updates centered around Kerberos-related improvements
GhostPack logo

Rubeus

4,029

Trying to tame the three-headed dog.

Pros of Rubeus

  • More comprehensive Kerberos toolkit with a wider range of features
  • Actively maintained with regular updates and improvements
  • Designed specifically for Windows environments, offering better integration

Cons of Rubeus

  • Limited cross-platform compatibility (Windows-only)
  • Steeper learning curve due to more complex functionality
  • Potentially more detectable by security software due to its popularity

Code Comparison

krbrelayx:

def build_ap_req(tgt, target_spn):
    # Simplified AP-REQ construction
    ap_req = AP_REQ()
    ap_req['pvno'] = 5
    ap_req['msg-type'] = int(constants.ApplicationTagNumbers.AP_REQ.value)
    # ... (additional code)

Rubeus:

public static bool GetTGT(string userName, string domain, string password, out string ticket)
{
    // Simplified TGT request
    KerberosCredential credential = new KerberosCredential(userName, domain, password);
    KerberosClient client = new KerberosClient(credential);
    // ... (additional code)
}

Both tools focus on Kerberos exploitation, but Rubeus offers a more extensive feature set for Windows environments, while krbrelayx provides cross-platform functionality with a simpler approach. The code snippets demonstrate the different languages and approaches used in each project.

dirkjanm logo

BloodHound.py

1,890

A Python based ingestor for BloodHound

Pros of BloodHound.py

  • Focuses on Active Directory enumeration and visualization
  • Integrates with the BloodHound GUI for advanced analysis
  • Supports various collection methods (LDAP, ADWS, DNS)

Cons of BloodHound.py

  • Limited to Active Directory environments
  • Requires additional setup for full functionality (Neo4j database)
  • May generate more network traffic than krbrelayx

Code Comparison

BloodHound.py:

def get_domain_controllers(self):
    q = ldap3.search.search_filter.construct_ldap_query({
        'type': 'computer',
        'userAccountControl': 532480
    })
    return self.search(q, ['name', 'dnshostname'])

krbrelayx:

def process_ticket(data):
    try:
        ticket = decode_ticket(data)
        return ticket
    except Exception as e:
        logging.error('Error while decoding ticket: %s' % str(e))
        return None

BloodHound.py is designed for comprehensive Active Directory enumeration and analysis, while krbrelayx focuses on Kerberos relay attacks and ticket manipulation. BloodHound.py offers broader AD reconnaissance capabilities but may be more complex to set up. krbrelayx is more specialized for Kerberos-related attacks and potentially stealthier in certain scenarios.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Krbrelayx - Kerberos relaying and unconstrained delegation abuse toolkit

Toolkit for abusing Kerberos. Requires impacket, ldap3 and dnspython to function. It is recommended to install impacket from git directly to have the latest version available.

More info about this toolkit available in my blog https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit/. Information about Kerberos relaying in the follow-up blog https://dirkjanm.io/relaying-kerberos-over-dns-with-krbrelayx-and-mitm6/.

Tools included

addspn.py

This tool can add/remove/modify Service Principal Names on accounts in AD over LDAP.

usage: addspn.py [-h] [-u USERNAME] [-p PASSWORD] [-t TARGET] -s SPN [-r] [-q]
                 [-a]
                 HOSTNAME

Add an SPN to a user/computer account

Required options:
  HOSTNAME              Hostname/ip or ldap://host:port connection string to
                        connect to

Main options:
  -h, --help            show this help message and exit
  -u USERNAME, --user USERNAME
                        DOMAIN\username for authentication
  -p PASSWORD, --password PASSWORD
                        Password or LM:NTLM hash, will prompt if not specified
  -t TARGET, --target TARGET
                        Computername or username to target (FQDN or COMPUTER$
                        name, if unspecified user with -u is target)
  -s SPN, --spn SPN     servicePrincipalName to add (for example:
                        http/host.domain.local or cifs/host.domain.local)
  -r, --remove          Remove the SPN instead of add it
  -q, --query           Show the current target SPNs instead of modifying
                        anything
  -a, --additional      Add the SPN via the msDS-AdditionalDnsHostName
                        attribute

dnstool.py

Add/modify/delete Active Directory Integrated DNS records via LDAP.

usage: dnstool.py [-h] [-u USERNAME] [-p PASSWORD] [--forest] [--legacy] [--zone ZONE]
                  [--print-zones] [--tcp] [-k] [-dc-ip ip address] [-dns-ip ip address]
                  [-aesKey hex key] [-r TARGETRECORD]
                  [-a {add,modify,query,remove,resurrect,ldapdelete}] [-t {A}] [-d RECORDDATA]
                  [--allow-multiple] [--ttl TTL]
                  HOSTNAME

Query/modify DNS records for Active Directory integrated DNS via LDAP

Required options:
  HOSTNAME              Hostname/ip or ldap://host:port connection string to
                        connect to

Main options:
  -h, --help            show this help message and exit
  -u USERNAME, --user USERNAME
                        DOMAIN\username for authentication.
  -p PASSWORD, --password PASSWORD
                        Password or LM:NTLM hash, will prompt if not specified
  --forest              Search the ForestDnsZones instead of DomainDnsZones
  --zone ZONE           Zone to search in (if different than the current
                        domain)
  --print-zones         Only query all zones on the DNS server, no other
                        modifications are made

Record options:
  -r TARGETRECORD, --record TARGETRECORD
                        Record to target (FQDN)
  -a {add,modify,query,remove,ldapdelete}, --action {add,modify,query,remove,ldapdelete}
                        Action to perform. Options: add (add a new record),
                        modify (modify an existing record), query (show
                        existing), remove (mark record for cleanup from DNS
                        cache), delete (delete from LDAP). Default: query
  -t {A}, --type {A}    Record type to add (Currently only A records
                        supported)
  -d RECORDDATA, --data RECORDDATA
                        Record data (IP address)
  --allow-multiple      Allow multiple A records for the same name
  --ttl TTL             TTL for record (default: 180)

printerbug.py

Simple tool to trigger SpoolService bug via RPC backconnect. Similar to dementor.py. Thanks to @agsolino for implementing these RPC calls.

usage: printerbug.py [-h] [-target-file file] [-port [destination port]]
                     [-hashes LMHASH:NTHASH] [-no-pass]
                     target attackerhost

positional arguments:
  target                [[domain/]username[:password]@]<targetName or address>
  attackerhost          hostname to connect to

optional arguments:
  -h, --help            show this help message and exit

connection:
  -target-file file     Use the targets in the specified file instead of the
                        one on the command line (you must still specify
                        something as target name)
  -port [destination port]
                        Destination port to connect to SMB Server

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful when proxying through
                        ntlmrelayx)
  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters.
                        If valid credentials cannot be found, it will use the ones specified in the command line
  -dc-ip ip address     IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target
                        parameter
  -target-ip ip address
                        IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful
                        when target is the NetBIOS name or Kerberos name and you cannot resolve it

krbrelayx.py

This tool has multiple use options:

  • Kerberos relaying: When no credentials are supplied, but at least one target is specified, krbrelayx will forward the Kerberos authentication to a matching target hostname, effectively relaying the authentication. How to get incoming Kerberos auth with a valid SPN is up to you, but you could use mitm6 for this.
  • Unconstrained delegation abuse: In this mode, krbrelayx will either decrypt and dump incoming TGTs embedded in authentication with unconstrained delegation, or immediately use the TGTs to authenticate to a target service. This requires that credentials for an account with unconstrained delegation are specified.
usage: krbrelayx.py [-h] [-debug] [-t TARGET] [-tf TARGETSFILE] [-w] [-ip INTERFACE_IP] [-r SMBSERVER] [-l LOOTDIR]
                    [-f {ccache,kirbi}] [-codec CODEC] [-no-smb2support] [-wh WPAD_HOST] [-wa WPAD_AUTH_NUM] [-6] [-p PASSWORD]
                    [-hp HEXPASSWORD] [-s USERNAME] [-hashes LMHASH:NTHASH] [-aesKey hex key] [-dc-ip ip address] [-e FILE]
                    [-c COMMAND] [--enum-local-admins] [--no-dump] [--no-da] [--no-acl] [--no-validate-privs]
                    [--escalate-user ESCALATE_USER] [--add-computer] [--delegate-access] [--adcs] [--template TEMPLATE]
                    [-v TARGET]

Kerberos relay and unconstrained delegation abuse tool. By @_dirkjan / dirkjanm.io

Main options:
  -h, --help            show this help message and exit
  -debug                Turn DEBUG output ON
  -t TARGET, --target TARGET
                        Target to attack, since this is Kerberos, only HOSTNAMES are valid. Example: smb://server:445 If
                        unspecified, will store tickets for later use.
  -tf TARGETSFILE       File that contains targets by hostname or full URL, one per line
  -w                    Watch the target file for changes and update target list automatically (only valid with -tf)
  -ip INTERFACE_IP, --interface-ip INTERFACE_IP
                        IP address of interface to bind SMB and HTTP servers
  -r SMBSERVER          Redirect HTTP requests to a file:// path on SMBSERVER
  -l LOOTDIR, --lootdir LOOTDIR
                        Loot directory in which gathered loot (TGTs or dumps) will be stored (default: current directory).
  -f {ccache,kirbi}, --format {ccache,kirbi}
                        Format to store tickets in. Valid: ccache (Impacket) or kirbi (Mimikatz format) default: ccache
  -codec CODEC          Sets encoding used (codec) from the target's output (default "utf-8"). If errors are detected, run
                        chcp.com at the target, map the result with https://docs.python.org/2.4/lib/standard-encodings.html and
                        then execute ntlmrelayx.py again with -codec and the corresponding codec
  -no-smb2support       Disable SMB2 Support
  -wh WPAD_HOST, --wpad-host WPAD_HOST
                        Enable serving a WPAD file for Proxy Authentication attack, setting the proxy host to the one supplied.
  -wa WPAD_AUTH_NUM, --wpad-auth-num WPAD_AUTH_NUM
                        Prompt for authentication N times for clients without MS16-077 installed before serving a WPAD file.
  -6, --ipv6            Listen on both IPv6 and IPv4

Kerberos Keys (of your account with unconstrained delegation):
  -p PASSWORD, --krbpass PASSWORD
                        Account password
  -hp HEXPASSWORD, --krbhexpass HEXPASSWORD
                        Hex-encoded password
  -s USERNAME, --krbsalt USERNAME
                        Case sensitive (!) salt. Used to calculate Kerberos keys.Only required if specifying password instead
                        of keys.
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)
  -dc-ip ip address     IP Address of the domain controller. If ommited it use the domain part (FQDN) specified in the target
                        parameter

SMB attack options:
  -e FILE               File to execute on the target system. If not specified, hashes will be dumped (secretsdump.py must be
                        in the same directory)
  -c COMMAND            Command to execute on target system. If not specified, hashes will be dumped (secretsdump.py must be in
                        the same directory).
  --enum-local-admins   If relayed user is not admin, attempt SAMR lookup to see who is (only works pre Win 10 Anniversary)

LDAP attack options:
  --no-dump             Do not attempt to dump LDAP information
  --no-da               Do not attempt to add a Domain Admin
  --no-acl              Disable ACL attacks
  --no-validate-privs   Do not attempt to enumerate privileges, assume permissions are granted to escalate a user via ACL
                        attacks
  --escalate-user ESCALATE_USER
                        Escalate privileges of this user instead of creating a new one
  --add-computer        Attempt to add a new computer account
  --delegate-access     Delegate access on relayed computer account to the specified account

AD CS attack options:
  --adcs                Enable AD CS relay attack
  --template TEMPLATE   AD CS template. Defaults to Machine or User whether relayed account name ends with `$`. Relaying a DC
                        should require specifying `DomainController`
  -v TARGET, --victim TARGET
                        Victim username or computername$, to request the correct certificate name.

TODO:

  • Specifying SMB as target is not yet complete, it's recommended to run in export mode and then use secretsdump with -k
  • Conversion tool from/to ccache/kirbi
  • SMB1 support in the SMB relay server