Andrea P

From NTLM relay to Kerberos relay: Everything you need to know While I was reading Elad Shamir recent excellent post about NTLM relay attacks, I decided to contribute a companion piece that dives into the mechanics of Kerberos relays, offering an analysis and …

I just published a blog post where I try to explain and demystify Kerberos relay attacks. I hope it’s a good and comprehensive starting point for anyone looking to learn more about this topic. ➡️
decoder.cloud/2025/04/24/f...

Hey, we should really switch from NTLM to something like Kerberos, yet another good reason, right?
🤣😂

GitHub - decoder-it/KrbRelayEx-RPC Contribute to decoder-it/KrbRelayEx-RPC development by creating an account on GitHub.

KrbRelayEx-RPC tool is out! 🎉
Intercepts ISystemActivator requests, extracts Kerberos AP-REQ & dynamic port bindings and relays the AP-REQ to access SMB shares or HTTP ADCS, all fully transparent to the victim ;)
github.com/decoder-it/K...

GitHub - decoder-it/NewMachineAccount Contribute to decoder-it/NewMachineAccount development by creating an account on GitHub.

Another simple standalone tool for creating machine accounts with custom password in Windows AD
github.com/decoder-it/N...

Notes from the Field: My journey in trying to change Windows password in the most complex way, purely for fun, very little profit, but definitely a fun challenge! More details here ➡️https://decoder.cloud/2025/02/11/changing-windows-passwords-in-the-most-complex-way/

The (Almost) Forgotten Vulnerable Driver Vulnerable Windows drivers remain one of the most exploited methods attackers use to gain access to the Windows kernel. The list of known vulnerable drivers seems almost endless, with some not even…

Had some fun reviving an old vulnerable driver, read all about it here: decoder.cloud/2025/01/09/t... 🤠

Indeed, it is. An interesting attack surface is the Kerberos relay, as it allows control over the hostname. In this particular example, I'm relaying RPC/DCOM (bsky.app/profile/deco...) but it also works when acting as an SMB or WinRM server.

Working in it .... 😇

www.youtube.com/watch?v=fUqC...

@decoder-it.bsky.social and i noticed that it's no more possible to call NtLoadDriver pointing to an unprivileged regkey such as \REGISTRY\USER
Even if you have the SeLoadPrivilege you would still require the Admin group to write the required regkey.
Some more technical details below 👇

ISystemActivator

Relaying DCOM has always intrigued me, so I decided to dive in. Started with a MiTM attack using a fake DNS entry, targeting certificate requests to an ADCS server and relaying to SMB.

ood luck with early detection 😉. Personally, I'd focus time and effort on the basics of hardening (the ones I listed before) prevention often beats detection in the long run.

As usual it's all about preventing relaying. So yes, always require SMB signing, LDAP/LDAPS signing and Channel Binding, HTTPS Extended Authentication Protection... but this in an ideal world, and I've see too often Insecure DNS Update allowed on root zones... 🤷‍♂️

I'm glad to release the tool I have been working hard on the last month: #KrbRelayEx
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/K...

Following my prev tweet, my Kerberos MITM relay/forwarder is almost finished! It targets for example insecure DNS updates in AD, allowing DNS name forgery. It intercepts, relays, and forwards traffic, with the client unaware. Currently supporting smb->smb and smb->http (adcs)

I will need your help ;)

Working on my "new" Kerberos Relay & PortForwarder tool designed for managing also MITM attacks 😇