From 77ee1909737a791bfd0317eca8c20146742a36ad Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Thu, 30 Apr 2026 14:00:28 +0000 Subject: [PATCH] Add content from: Bypassing Windows authentication reflection mitigations for ... --- ...-ns-mdns-dns-and-wpad-and-relay-attacks.md | 60 ++++++++++++++++++- 1 file changed, 59 insertions(+), 1 deletion(-) diff --git a/src/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md b/src/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md index 82a2b4c997b..e2150272302 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md +++ b/src/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md @@ -253,6 +253,61 @@ For detailed info about this attack check: 4. **Ticket source not already used:** you win the race before the real packet hits or block it entirely; otherwise the server’s replay cache fires Event 4649. 5. You need to somehow be able to perform a **MitM in the communication** maybe being part of the DNSAmins group to modify the DNS of the domain or being able to change the HOST file of the victim. +### Unicode-normalization Kerberos reflection (2025-2026) + +Synacktiv documented a **new Kerberos coercion/relay primitive** that bypassed the first SMB reflection mitigations by abusing **inconsistent Unicode normalization** across Windows DNS, Kerberos/SPN lookup, and SMB ticket acceptance. + +- The attacker needs a way to **register AD-integrated DNS records** and **coerce machine authentication** (`PetitPotam`, DFSCoerce, etc.). +- The crafted target name must be: + - **Different enough** from the victim hostname/FQDN that `DnsCache` does **not** treat it as "self", so a DNS query is emitted. + - **Equivalent enough** during DC-side SPN lookup that the TGS request resolves to the **real machine account SPN**. +- This was achieved by combining: + - a **Unicode hostname lookalike** such as replacing `R` in `SRV1` with a Unicode equivalent so `CompareStringW(..., NORM_IGNORECASE)` no longer returns equal on the client side + - **Unicode dot equivalents** in the FQDN so the DC-side SPN search key still collides with the victim FQDN SPN set + +Why it works: + +- `DnsCache` self-name checks use `CompareStringW` with only **`NORM_IGNORECASE`**. +- SPN lookups in AD ultimately depend on **ESE/NTDS search keys** derived from `LCMapStringEx(..., 0x31403)` (`LCMAP_SORTKEY`, `NORM_IGNORECASE`, `NORM_IGNOREKANATYPE`, `NORM_IGNORENONSPACE`, `NORM_IGNOREWIDTH`, `SORT_STRINGSORT`). +- Therefore, two strings can be **different for client-side self-comparison** but still **collide during SPN lookup** on the DC. +- SMB then accepts the relayed AP-REQ as long as the service ticket decrypts under the same machine account key and the local-auth checks are otherwise satisfied. + +Practical constraints and workflow: + +1. A pure hostname variant tends to fail because **LDAP/DNS uniqueness checks** can hit the same normalized collision and reject the record as already existing. +2. The practical workaround is to register a **crafted FQDN** whose DNS label passes uniqueness checks but whose **constructed SPN** still collides with the victim machine SPNs. +3. Coerce the victim to authenticate to that crafted name, receive the **Kerberos AP-REQ** on the relay box, and relay it to a service on the victim or another service bound to the same machine account. +4. Some relay tooling may need a **small patch** to stop enforcing strict ASCII/hostname equality on the relayed target name because the ticket `sname` can contain Unicode. + +Representative chain: + +```bash +# 1. Register crafted ADIDNS record pointing to attacker +dnstool.py -u 'DOMAIN\\user' -p 'Passw0rd!' -r '' -d + +# 2. Coerce machine auth to the crafted name +PetitPotam.py -u user -p 'Passw0rd!' '' + +# 3. Relay the Kerberos AP-REQ +krbrelayx.py -t smb:// -c whoami +``` + +Impact and adaptations: + +- **Pre-October 2025 SMB reflection**: this yielded **authenticated SYSTEM RCE** from a standard domain user by reflecting the victim's Kerberos auth back to its own SMB service. +- **After CVE-2025-58726**: SMB added a **local-source-IP requirement** for loopback-auth sessions, which killed the remote SMB reflection path. +- **LPE variant (CVE-2026-26128)**: if you already have code execution on the victim, use a **local forwarder / reverse SOCKS** so the final SMB session originates from a **local address** while still relaying the coerced AP-REQ. This converts the primitive into **SYSTEM local privilege escalation**. +- **Other protocols still matter**: SMB-specific hardening does **not** kill Kerberos relay as a class. HTTP services without integrity / CBT remain strong targets, notably: + - **AD CS Web Enrollment** (`http:///certsrv/certfnsh.asp`) to obtain a machine certificate + - **SCCM AdminService** to perform privileged SCCM actions + - likely any service that accepts Kerberos and does **not** enforce signing, EPA, or channel binding + +Defensive notes: + +- **Loopback SMB signing** is now the important default mitigation. Newer systems enforce signing for local SMB connections through `HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\RequireSecuritySignatureForLoopback`. +- Treat **ADIDNS write access** as a relay primitive, not just a DNS issue. +- For web targets, disable legacy HTTP enrollment when possible and enforce **EPA / CBT / signing** wherever the protocol supports it. + ### Kerberos Relay Steps - 3.1 **Recon the host** @@ -351,6 +406,9 @@ You now own **NT AUTHORITY\SYSTEM**. - [Microsoft – WSUS deprecation announcement](https://techcommunity.microsoft.com/blog/windows-itpro-blog/windows-server-update-services-wsus-deprecation/4250436) - [RelayKing v1.0](https://github.com/depthsecurity/RelayKing-Depth) - [Depth Security – Introducing RelayKing: Relay to Royalty](https://www.depthsecurity.com/blog/introducing-relayking-relay-to-royalty/) +- [Synacktiv - Bypassing Windows authentication reflection mitigations for SYSTEM shells - Part 2](https://www.synacktiv.com/en/publications/bypassing-windows-authentication-reflection-mitigations-for-system-shells-part.html) +- [Microsoft Learn - LCMapStringEx function](https://learn.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-lcmapstringex) +- [Microsoft Learn - CompareStringW function](https://learn.microsoft.com/en-us/windows/win32/api/stringapiset/nf-stringapiset-comparestringw) +- [Semperis - Exploiting Ghost SPNs and Kerberos Reflection for SMB Server Privilege Elevation](https://www.semperis.com/blog/exploiting-ghost-spns-and-kerberos-reflection-for-smb-server-privilege-elevation/) {{#include ../../banners/hacktricks-training.md}} -