dirkjanm/krbrelayx
GitHub: dirkjanm/krbrelayx
这是一个针对 Active Directory 的渗透测试工具包,主要用于利用 Kerberos 认证中继和非约束委派漏洞进行权限提升与横向移动。
Stars: 1567 | Forks: 229
# Krbrelayx - Kerberos 中继和非约束委派滥用工具包
用于滥用 Kerberos 的工具包。
需要安装 [impacket](https://github.com/SecureAuthCorp/impacket)、[ldap3](https://github.com/cannatag/ldap3) 和 dnspython 才能运行。
建议直接从 git 安装 impacket 以获取最新版本。
有关此工具包的更多信息,请参阅我的博客
attackerhost hostname to connect to
optional arguments:
-h, --help show this help message and exit
connection:
-target-file file Use the targets in the specified file instead of the
one on the command line (you must still specify
something as target name)
-port [destination port]
Destination port to connect to SMB Server
authentication:
-hashes LMHASH:NTHASH
NTLM hashes, format is LMHASH:NTHASH
-no-pass don't ask for password (useful when proxying through
ntlmrelayx)
-k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters.
If valid credentials cannot be found, it will use the ones specified in the command line
-dc-ip ip address IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target
parameter
-target-ip ip address
IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful
when target is the NetBIOS name or Kerberos name and you cannot resolve it
```
## krbrelayx.py
该工具具有多种使用选项:
* **Kerberos 中继**:当未提供凭据但指定了至少一个目标时,krbrelayx 会将 Kerberos 身份验证转发到匹配的目标主机名,从而有效地中继身份验证。如何获取带有有效 SPN 的传入 Kerberos 身份验证由你自己决定,但你可以使用 mitm6 来实现这一点。
* **非约束委派滥用**:在此模式下,krbrelayx 将解密并转储带有非约束委派的身份验证中嵌入的传入 TGT,或者立即使用 TGT 向目标服务进行身份验证。这需要指定具有非约束委派的帐户凭据。
```
usage: krbrelayx.py [-h] [-debug] [-t TARGET] [-tf TARGETSFILE] [-w] [-ip INTERFACE_IP] [-r SMBSERVER] [-l LOOTDIR]
[-f {ccache,kirbi}] [-codec CODEC] [-no-smb2support] [-wh WPAD_HOST] [-wa WPAD_AUTH_NUM] [-6] [-p PASSWORD]
[-hp HEXPASSWORD] [-s USERNAME] [-hashes LMHASH:NTHASH] [-aesKey hex key] [-dc-ip ip address] [-e FILE]
[-c COMMAND] [--enum-local-admins] [--no-dump] [--no-da] [--no-acl] [--no-validate-privs]
[--escalate-user ESCALATE_USER] [--add-computer] [--delegate-access] [--adcs] [--template TEMPLATE]
[-v TARGET]
Kerberos relay and unconstrained delegation abuse tool. By @_dirkjan / dirkjanm.io
Main options:
-h, --help show this help message and exit
-debug Turn DEBUG output ON
-t TARGET, --target TARGET
Target to attack, since this is Kerberos, only HOSTNAMES are valid. Example: smb://server:445 If
unspecified, will store tickets for later use.
-tf TARGETSFILE File that contains targets by hostname or full URL, one per line
-w Watch the target file for changes and update target list automatically (only valid with -tf)
-ip INTERFACE_IP, --interface-ip INTERFACE_IP
IP address of interface to bind SMB and HTTP servers
-r SMBSERVER Redirect HTTP requests to a file:// path on SMBSERVER
-l LOOTDIR, --lootdir LOOTDIR
Loot directory in which gathered loot (TGTs or dumps) will be stored (default: current directory).
-f {ccache,kirbi}, --format {ccache,kirbi}
Format to store tickets in. Valid: ccache (Impacket) or kirbi (Mimikatz format) default: ccache
-codec CODEC Sets encoding used (codec) from the target's output (default "utf-8"). If errors are detected, run
chcp.com at the target, map the result with https://docs.python.org/2.4/lib/standard-encodings.html and
then execute ntlmrelayx.py again with -codec and the corresponding codec
-no-smb2support Disable SMB2 Support
-wh WPAD_HOST, --wpad-host WPAD_HOST
Enable serving a WPAD file for Proxy Authentication attack, setting the proxy host to the one supplied.
-wa WPAD_AUTH_NUM, --wpad-auth-num WPAD_AUTH_NUM
Prompt for authentication N times for clients without MS16-077 installed before serving a WPAD file.
-6, --ipv6 Listen on both IPv6 and IPv4
Kerberos Keys (of your account with unconstrained delegation):
-p PASSWORD, --krbpass PASSWORD
Account password
-hp HEXPASSWORD, --krbhexpass HEXPASSWORD
Hex-encoded password
-s USERNAME, --krbsalt USERNAME
Case sensitive (!) salt. Used to calculate Kerberos keys.Only required if specifying password instead
of keys.
-hashes LMHASH:NTHASH
NTLM hashes, format is LMHASH:NTHASH
-aesKey hex key AES key to use for Kerberos Authentication (128 or 256 bits)
-dc-ip ip address IP Address of the domain controller. If ommited it use the domain part (FQDN) specified in the target
parameter
SMB attack options:
-e FILE File to execute on the target system. If not specified, hashes will be dumped (secretsdump.py must be
in the same directory)
-c COMMAND Command to execute on target system. If not specified, hashes will be dumped (secretsdump.py must be in
the same directory).
--enum-local-admins If relayed user is not admin, attempt SAMR lookup to see who is (only works pre Win 10 Anniversary)
LDAP attack options:
--no-dump Do not attempt to dump LDAP information
--no-da Do not attempt to add a Domain Admin
--no-acl Disable ACL attacks
--no-validate-privs Do not attempt to enumerate privileges, assume permissions are granted to escalate a user via ACL
attacks
--escalate-user ESCALATE_USER
Escalate privileges of this user instead of creating a new one
--add-computer Attempt to add a new computer account
--delegate-access Delegate access on relayed computer account to the specified account
AD CS attack options:
--adcs Enable AD CS relay attack
--template TEMPLATE AD CS template. Defaults to Machine or User whether relayed account name ends with `$`. Relaying a DC
should require specifying `DomainController`
-v TARGET, --victim TARGET
Victim username or computername$, to request the correct certificate name.
```
### 待办事项 (TODO):
- 指定 SMB 作为目标的功能尚未完成,建议以导出模式运行,然后使用 secretsdump 并带上 `-k` 参数
- 与 ccache/kirbi 之间的转换工具
- SMB 中继服务器中的 SMB1 支持
标签:Active Directory, AD 攻击, Checkov, DNS, HTTP, Impacket, LDAP, Modbus, Plaso, Prisma Cloud, Python, Relaying, SPN, Unconstrained Delegation, 中继攻击, 协议分析, 无后门, 无约束委派, 权限提升, 横向移动, 编程规范, 网络安全, 逆向工具, 隐私保护