Relaying Kerberos over DNS using krbrelayx and mitm6 by Dir | PT SWARM
Relaying Kerberos over DNS using krbrelayx and mitm6
by Dirk-jan Mollema
In scenario, where attacker have the ability to spoof a DNS server via DHCPv6 spoofing with mitm6, he can get victim machines to reliably authenticate to him using Kerberos and their machine account. This authentication can be relayed to any service that does not enforce integrity, such as Active Directory Certificate Services (AD CS) http(s) based enrollment, which in turn makes it possible to execute code as SYSTEM on that host. This technique is faster, more reliable and less invasive than relaying WPAD authentication with mitm6, but does of course require AD CS to be in use.
Contents: • Kerberos over DNS • Abusing DNS authentication • Changes to krbrelayx and mitm6 • Attack example • Defenses • Mitigating mitm6 • Mitigating relaying to AD CS • Tools
Positive Technologies Offensive Team: twitter.com/ptswarm. This is the channel where we share articles/vulnerabilities/scripts/etc, not necessarily authored by us, that we find interesting...