krbjack: A Kerberos AP-REQ hijacking tool
KRBJack
This tool can be used to abuse the dangerous ZONE_UPDATE_UNSECURE flag on DNS main domain zone in an Active Directory. This flag when set allows anyone unauthenticated to update, add and remove DNS records anonymously. It is quite common to see it during engagements as it is required to get some DHCP servers working with non-windows based systems, to get them update their own records. Even though this flag is extremely dangerous, I’ve never seen any tool to ease its exploitation. What I wanted to build is a mean to perform Man-in-the-Middle based on this dangerous flag, grab credentials and use them directly to own systems or the entire active directory services (though multiple tools can be used together to perform ntlm relay for example).
The benefit from using this technique of man in the middle is that it goes through routers, as the “official” DNS records are poisonned. If proper routing is set (and if no firewall rule prevents it), someone on another broadcast domain can be targeted (unlike ARP poisoning which only works on you broadcast domain).
Moreover I made the choice to perform fully functionnal AP_REQ hijacking to allow compromission of systems using kerberos instead of NetNTLM.
How does it works?
First the man in the middle is put in place by changing DNS records attached to your target. It abuses the DNS misconfiguration to say "hey, now myLegitService is now at <attacker's IP>". This way, everyone trying to reach the legitimate service will now reach to you instead. The DNS records are also kept poisoned by checking regularly if they have been set back to the right ones (a server or computer might have reboot, or updated a record while the attack was beeing performed).
In the meantime, the tool starts multithreaded TCP servers to mimick your target TCP services. It starts to serve SMB, HTTP, whatever service you state in the command line. It does so just like an SSH port forwarding : when you reach to the attacker’s started services, krbjack initiates connection to the true legitimate service on the same port, and forwards every packet from the legitimate client, to the legitimate service. This way, a full man in the middle is performed both ways, this prevents traffic from being completely blocked.
When the man in the middle is performed, every single packet is inspected to find kerberos AP_REQ packets (containing what’s necessary to authenticate to services) or other authenticating packets. When such a packet/ticket is found to be sent from a client, it is used in real time to connect to the legitimate service on behalf of the legitimate client. This way krbjack can perform authenticated stuff to the legitimate service. At the moment only SMB is supported, meaning that krbjack performs authenticated SMB actions at this time of the attack workflow. It then uses this authenticated channel to check if the legitimate client was an administrator (tries to list directory ADMIN$ – C:\Windows). If it happens that the client was an administrator, man in the middle is stopped, DNS records are fixed ant it then uses the very same authenticated channel to perform a full psexec.
Krbjack also modifies packets on-the-fly depending on the protocol to remove security flags when possible (SMB flags “signing required”, “supported” etc… though it is quite naive for the time being).
