KrbRelayEx: Kerberos Relay and Forwarder for (Fake) SMB MiTM Server
KrbRelayEx
KrbRelayEx is a tool designed for performing Man-in-the-Middle (MitM) attacks by relaying Kerberos AP-REQ tickets. It listens for incoming SMB connections and forwards the AP-REQ to the target host, enabling access to SMB shares or HTTP ADCS (Active Directory Certificate Services) endpoints on behalf of the targeted identity.
Beyond DnsAdmins
Manipulating DNS entries isn’t exclusive to the DnsAdmins group. Other scenarios can also enable such attacks, such as:
- DNS zones with insecure updates enabled
- Controlling HOSTS file entries on client machines
Tool Goals
The goal of this tool was to test whether a Man-in-the-Middle (MitM) attack could be executed by exploiting DNS spoofing, traffic forwarding, and Kerberos relaying. This is particularly relevant because Kerberos authentication is commonly used when a resource is accessed via its hostname or fully qualified domain name (FQDN), making it a cornerstone of many corporate networks.
Building upon the concept, I started from the great KrbRelay framework and developed this tool in .NET 8.0 to ensure compatibility across both Windows and GNU/Linux platforms.
Feature
- Relay Kerberos AP-REQ tickets to access SMB shares or HTTP ADCS endpoints.
- Interactive or background multithreaded SMB consoles for managing multiple connections, enabling file manipulation and the creation/startup of services.
- Multithreaded port forwarding to forward additional traffic from clients to original destination such as RDP, HTTP(S), RPC Mapper, WinRM,…
- Transparent relaying process for seamless user access.
- Cross-platform compatibility with Windows and GNU/Linux via .NET 8.0 SDK.
