KrbRelayEx-RPC: Kerberos Relay and Forwarder for (Fake) RPC/DCOM MiTM Server

KrbRelayEx-RPC

Kerberos Relay and Forwarder for (Fake) RPC/DCOM MiTM Server

KrbRelayEx-RPC is a tool similar to my KrbRelayEx designed for performing Man-in-the-Middle (MitM) attacks by relaying Kerberos AP-REQ tickets.

This version implements a fake RPC/DCOM server:

• Listens for authenticated ISystemActivator requests and extracts the AP-REQ tickets
• Extracts dynamic port bindings from EPMAPPER/OXID resolutions
• Relay the AP-REQ to access SMB shares or HTTP ADCS (Active Directory Certificate Services) on behalf of the victim
• Forwards the victim’s requests dynamically and transparently to the real destination RPC/DCOM application so the victim is unaware that their requests are being intercepted and relayed

Manipulating DNS entries isn’t exclusive to the DnsAdmins group. Other scenarios can also enable such attacks, such as:

• DNS zones with insecure updates enabled
• Controlling HOSTS file entries on client machines

The goal of this tool was to test whether a Man-in-the-Middle (MitM) attack could be executed by exploiting DNS spoofing, traffic forwarding, and Kerberos relaying. This is particularly relevant because Kerberos authentication is commonly used when a resource is accessed via its hostname or fully qualified domain name (FQDN), making it a cornerstone of many corporate networks.

Building upon the concept, I started from the great KrbRelay and developed this tool in .NET 8.0 to ensure compatibility across both Windows and GNU/Linux platforms.

• Relay Kerberos AP-REQ tickets to access SMB shares or HTTP ADCS endpoints.
• Interactive or background multithreaded SMB consoles for managing multiple connections, enabling file manipulation and the creation/startup of services.
• Multithreaded port forwarding to forward additional traffic from clients to original destination such as RDP, HTTP(S), RPC Mapper, WinRM,…
• Transparent relaying process for seamless user access.
• Cross-platform compatibility with Windows and GNU/Linux via .NET 8.0 SDK.

Notes

• Relay and Forwarding Modes:
  KrbRelayEx intercepts and relays the first authentication attempt, then switches to forwarder mode for all subsequent incoming requests. You can press r anytime to restart relay mode.

• Scenarios for Exploitation:

  • Being a member of the DnsAdmins group.
  • Configuring DNS zones with Insecure Updates: This misconfiguration allows anonymous users with network access to perform DNS Updates and potentially take over the domain!
  • Abusing HOSTS files for hostname spoofing: By modifying HOSTS file entries on client machines, attackers can redirect hostname or FQDN-based traffic to an arbitrary IP address.

• Background Consoles:
  These are ideal for managing multiple SMB consoles simultaneously.

Demo

Download & Use