RemoteKrbRelay: Advanced Kerberos Relay Framework
RemoteKrbRelay
Remote Kerberos Relay made easy! Advanced Kerberos Relay Framework
Details
Now, you have four folders in front of you:
Checker– old version of the checker for detecting vulnerable DCOM objects;Checkerv2.0– new version of the checker for detecting vulnerable DCOM objects;Exploit– RemoteKrbRelay.exe 🙂FindAvailablePort– a tool for bypassing a firewall when using an exploit.
Checker
So, let’s start with Checker. You can use it to detect vulnerable DCOM objects. A vulnerable DCOM object can be considered to be:
- The COM server within which the DCOM object is running must be run as another user or as a system. But never as
NT AUTHORITY\LOCAL SERVICE, since it uses empty creds to authenticate from the network; - You must have
RemoteLaunch,RemoteActivationpermissions. This is LaunchPermissions; - Impersonation level should be
RPC_C_IMP_LEVEL_IDENTIFYand higher.RPC_C_IMP_LEVEL_IDENTIFYis a default value; - U should have
RemoteAccesspermissions (or they should be emply). This is AccessPermission.
For easy detection, you can use Checkerv2.0. It supports output in csv and xlsx formats.
FindAvailablePort
A small tool to discover a port on which to raise a malicious DCOM server. See details here (Remote -> Local Potato).
Practice using the concept of a local port. Rewrite RemotePotato0 to a local port. Trust me, this is useful.
Exploit
I added quite a bit of different functionality to the exploit. Note that it provides enough functionality to abuse DCOM objects. I’ve also listed a few CLSIDs in Help for abuse. These CLSIDs were publicly known, there just wasn’t a POC to abuse them. There are quite a few vulnerable DCOM objects, work with the checker and find them all!
