RemoteKrbRelay: Advanced Kerberos Relay Framework
RemoteKrbRelay
Remote Kerberos Relay made easy! Advanced Kerberos Relay Framework
Details
Now, you have four folders in front of you:
Checker– old version of the checker for detecting vulnerable DCOM objects;Checkerv2.0– new version of the checker for detecting vulnerable DCOM objects;Exploit– RemoteKrbRelay.exe 🙂FindAvailablePort– a tool for bypassing a firewall when using an exploit.
Checker
So, let’s start with Checker. You can use it to detect vulnerable DCOM objects. A vulnerable DCOM object can be considered to be:
- The COM server within which the DCOM object is running must be run as another user or as a system. But never as
NT AUTHORITY\LOCAL SERVICE, since it uses empty creds to authenticate from the network; - You must have
RemoteLaunch,RemoteActivationpermissions. This is LaunchPermissions; - Impersonation level should be
RPC_C_IMP_LEVEL_IDENTIFYand higher.RPC_C_IMP_LEVEL_IDENTIFYis a default value; - U should have
RemoteAccesspermissions (or they should be emply). This is AccessPermission.
For easy detection, you can use Checkerv2.0. It supports output in csv and xlsx formats.
FindAvailablePort
A small tool to discover a port on which to raise a malicious DCOM server. See details here (Remote -> Local Potato).
Practice using the concept of a local port. Rewrite RemotePotato0 to a local port. Trust me, this is useful.
Exploit
I added quite a bit of different functionality to the exploit. Note that it provides enough functionality to abuse DCOM objects. I’ve also listed a few CLSIDs in Help for abuse. These CLSIDs were publicly known, there just wasn’t a POC to abuse them. There are quite a few vulnerable DCOM objects, work with the checker and find them all!
Download
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
