🎎 Krbrelayx – тулкит неограниченного злоупотребления делегированием Kerberos

Обзоры

Инструментарий для злоупотребления неограниченным делегированием.

Требуется Impacket и ldap3 для работы инструмента.

Рекомендуется установить Impacket непосредственно из git, чтобы была доступна последняя версия.

Скачать

git clone https://github.com/dirkjanm/krbrelayx.git

Включенные инструменты

addspn.py

Этот инструмент может добавлять / удалять / изменять принципалы kerberos в учетных записях в AD через LDAP.

usage: addspn.py [-h] [-u USERNAME] [-p PASSWORD] [-t TARGET] -s SPN [-r] [-q]
[-a]
HOSTNAME

Add an SPN to a user/computer account

Required options:
HOSTNAME Hostname/ip or ldap://host:port connection string to
connect to

Main options:
-h, --help show this help message and exit
-u USERNAME, --user USERNAME
DOMAIN\username for authentication
-p PASSWORD, --password PASSWORD
Password or LM:NTLM hash, will prompt if not specified
-t TARGET, --target TARGET
Computername or username to target (FQDN or COMPUTER$
name, if unspecified user with -u is target)
-s SPN, --spn SPN servicePrincipalName to add (for example:
http/host.domain.local or cifs/host.domain.local)
-r, --remove Remove the SPN instead of add it
-q, --query Show the current target SPNs instead of modifying
anything
-a, --additional Add the SPN via the msDS-AdditionalDnsHostName
attribute

dnstool.py

Добавить / изменить / удалить записи Active Directory интегрированные DNS через LDAP.

usage: dnstool.py [-h] [-u USERNAME] [-p PASSWORD] [--forest] [--zone ZONE]
[--print-zones] [-r TARGETRECORD]
[-a {add,modify,query,remove,ldapdelete}] [-t {A}]
[-d RECORDDATA] [--allow-multiple] [--ttl TTL]
HOSTNAME

Query/modify DNS records for Active Directory integrated DNS via LDAP

Required options:
HOSTNAME Hostname/ip or ldap://host:port connection string to
connect to

Main options:
-h, --help show this help message and exit
-u USERNAME, --user USERNAME
DOMAIN\username for authentication.
-p PASSWORD, --password PASSWORD
Password or LM:NTLM hash, will prompt if not specified
--forest Search the ForestDnsZones instead of DomainDnsZones
--zone ZONE Zone to search in (if different than the current
domain)
--print-zones Only query all zones on the DNS server, no other
modifications are made

Record options:
-r TARGETRECORD, --record TARGETRECORD
Record to target (FQDN)
-a {add,modify,query,remove,ldapdelete}, --action {add,modify,query,remove,ldapdelete}
Action to perform. Options: add (add a new record),
modify (modify an existing record), query (show
existing), remove (mark record for cleanup from DNS
cache), delete (delete from LDAP). Default: query
-t {A}, --type {A} Record type to add (Currently only A records
supported)
-d RECORDDATA, --data RECORDDATA
Record data (IP address)
--allow-multiple Allow multiple A records for the same name
--ttl TTL TTL for record (default: 180)

printerbug.py

Простой инструмент для запуска ошибки SpoolService через RPC-соединение.

Похож на dementor.py. Спасибо @agsolino за реализацию этих вызовов RPC.

usage: printerbug.py [-h] [-target-file file] [-port [destination port]]
[-hashes LMHASH:NTHASH] [-no-pass]
target attackerhost

positional arguments:
target [[domain/]username[:password]@]<targetName or address>
attackerhost hostname to connect to

optional arguments:
-h, --help show this help message and exit

connection:
-target-file file Use the targets in the specified file instead of the
one on the command line (you must still specify
something as target name)
-port [destination port]
Destination port to connect to SMB Server

authentication:
-hashes LMHASH:NTHASH
NTLM hashes, format is LMHASH:NTHASH
-no-pass don't ask for password (useful when proxying through
ntlmrelayx)

krbrelayx

При наличии учетной записи с неограниченными привилегиями делегирования, сбрасывайте Kerberos TGT пользователей, подключающихся к хостам, аналогично ntlmrelayx.

usage: krbrelayx.py [-h] [-debug] [-t TARGET] [-tf TARGETSFILE] [-w]
[-ip INTERFACE_IP] [-r SMBSERVER] [-l LOOTDIR]
[-f {ccache,kirbi}] [-codec CODEC] [-no-smb2support]
[-wh WPAD_HOST] [-wa WPAD_AUTH_NUM] [-6] [-p PASSWORD]
[-hp HEXPASSWORD] [-s USERNAME] [-hashes LMHASH:NTHASH]
[-aesKey hex key] [-dc-ip ip address] [-e FILE]
[-c COMMAND] [--enum-local-admins] [--no-dump] [--no-da]
[--no-acl] [--no-validate-privs]
[--escalate-user ESCALATE_USER]

Kerberos "relay" tool. Abuses accounts with unconstrained delegation to pwn
things.

Main options:
-h, --help show this help message and exit
-debug Turn DEBUG output ON
-t TARGET, --target TARGET
Target to attack, since this is Kerberos, only
HOSTNAMES are valid. Example: smb://server:445 If
unspecified, will store tickets for later use.
-tf TARGETSFILE File that contains targets by hostname or full URL,
one per line
-w Watch the target file for changes and update target
list automatically (only valid with -tf)
-ip INTERFACE_IP, --interface-ip INTERFACE_IP
IP address of interface to bind SMB and HTTP servers
-r SMBSERVER Redirect HTTP requests to a file:// path on SMBSERVER
-l LOOTDIR, --lootdir LOOTDIR
Loot directory in which gathered loot (TGTs or dumps)
will be stored (default: current directory).
-f {ccache,kirbi}, --format {ccache,kirbi}
Format to store tickets in. Valid: ccache (Impacket)
or kirbi (Mimikatz format) default: ccache
-codec CODEC Sets encoding used (codec) from the target's output
(default "ascii"). If errors are detected, run
chcp.com at the target, map the result with
https://docs.python.org/2.4/lib/standard-
encodings.html and then execute ntlmrelayx.py again
with -codec and the corresponding codec
-no-smb2support Disable SMB2 Support
-wh WPAD_HOST, --wpad-host WPAD_HOST
Enable serving a WPAD file for Proxy Authentication
attack, setting the proxy host to the one supplied.
-wa WPAD_AUTH_NUM, --wpad-auth-num WPAD_AUTH_NUM
Prompt for authentication N times for clients without
MS16-077 installed before serving a WPAD file.
-6, --ipv6 Listen on both IPv6 and IPv4

Kerberos Keys (of your account with unconstrained delegation):
-p PASSWORD, --krbpass PASSWORD
Account password
-hp HEXPASSWORD, --krbhexpass HEXPASSWORD
Hex-encoded password
-s USERNAME, --krbsalt USERNAME
Case sensitive (!) salt. Used to calculate Kerberos
keys.Only required if specifying password instead of
keys.
-hashes LMHASH:NTHASH
NTLM hashes, format is LMHASH:NTHASH
-aesKey hex key AES key to use for Kerberos Authentication (128 or 256
bits)
-dc-ip ip address IP Address of the domain controller. If ommited it use
the domain part (FQDN) specified in the target
parameter

SMB attack options:
-e FILE File to execute on the target system. If not
specified, hashes will be dumped (secretsdump.py must
be in the same directory)
-c COMMAND Command to execute on target system. If not specified,
hashes will be dumped (secretsdump.py must be in the
same directory).
--enum-local-admins If relayed user is not admin, attempt SAMR lookup to
see who is (only works pre Win 10 Anniversary)

LDAP attack options:
--no-dump Do not attempt to dump LDAP information
--no-da Do not attempt to add a Domain Admin
--no-acl Disable ACL attacks
--no-validate-privs Do not attempt to enumerate privileges, assume
permissions are granted to escalate a user via ACL
attacks
--escalate-user ESCALATE_USER
Escalate privileges of this user instead of creating a
new one 

¯\_(ツ)_/¯

Примечание: Информация для исследования, обучения или проведения аудита. Применение в корыстных целях карается законодательством РФ.

Добавить комментарий