A new implementation of Kerberos relaying over HTTP has been unveiled, leveraging multicast poisoning to exploit vulnerabilities in Active Directory environments.
The research, published by Quentin Roland, builds on previous work by cybersecurity expert James Forshaw, demonstrating how attackers can bypass authentication safeguards using tools such as Responder and krbrelayx.
Background on Kerberos Relaying
Kerberos relaying has risen in prominence as organizations increasingly harden their Active Directory (AD) environments, limiting NTLM-based attacks. While Kerberos provides robust authentication mechanisms, researchers have found that it is not immune to relaying attacks.
Relaying attacks exploit the AP-REQ request in the Kerberos protocol, allowing attackers to impersonate authenticated users and access sensitive services.
Initial techniques focused on relaying over DNS and SMB. James Forshaw introduced the possibility of relaying over HTTP in 2021, and this recent research demonstrates a concrete implementation.
The New Attack Vector: Kerberos Relaying Over HTTP
The latest attack relies on local name resolution poisoning via the LLMNR (Link-Local Multicast Name Resolution) protocol. By manipulating DNS responses, attackers can redirect HTTP clients to malicious servers, tricking them into authenticating against a spoofed target.
How the Attack Works
- LLMNR Poisoning: An attacker sets up a listener to intercept failed DNS resolutions within their multicast range. The attacker sends poisoned LLMNR responses, spoofing the answer name with a targeted service, such as a PKI server.
- Kerberos Authentication: The victim’s HTTP client requests a Kerberos service ticket (ST) for the spoofed target and sends an AP-REQ to the attacker’s server.
- Relaying the AP-REQ: The attacker relays the intercepted AP-REQ to the actual target service, gaining unauthorized access.
The attack utilizes enhanced versions of well-known offensive tools. Responder has been modified to include an -N flag, enabling the specification of an arbitrary answer name in LLMNR responses. ‘Additionally, krbrelayx has been updated to support the relaying of Kerberos authentication over HTTP.
Real-World Application: Exploiting ADCS Web Enrollment
In one scenario, researchers demonstrated how an unauthenticated attacker could relay Kerberos credentials over HTTP to compromise an Active Directory Certificate Services (ADCS) Web Enrollment endpoint. By obtaining a certificate, the attacker gains an initial foothold within the domain.
This attack presents several advantages and limitations. One key advantage is that it requires no authentication, allowing an attacker to execute it without valid credentials.
Additionally, it provides a way to bypass DNS restrictions, making it effective in environments where DNS relaying is disabled.
However, its success depends on the victim being within the attacker’s multicast range, as LLMNR poisoning relies on multicast communication.
Furthermore, the attack cannot leverage mDNS or NBTNS due to differences in response structures.
Lastly, when relaying Kerberos authentication over HTTP, many clients enforce integrity protections, which restrict the attack’s effectiveness to specific services, such as ADCS Web Enrollment or SCCM endpoints.
Mitigation Recommendations
Organizations can protect their environments by:
- Disabling LLMNR: Most networks have no functional need for it, making it a common attack vector.
- Enforcing Anti-Relay Protections: Use mechanisms like TLS with Extended Protection for Authentication (EPA) on HTTP services.
- Strengthening Network Segmentation: Limit multicast traffic and reduce exposure to potential attackers within the same range.
This new attack method highlights how traditional vulnerabilities like multicast poisoning can be combined with cutting-edge techniques to bypass hardened security measures.
By exploiting Kerberos relaying over HTTP, attackers can gain lateral movement capabilities and escalate privileges within AD environments.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates
