Packages and Binaries:
krbrelayx
Kerberos relaying and unconstrained delegation abuse toolkit. This tool can add/remove/modify Service Principal Names on accounts in AD over LDAP.
Installed size: 169 KB
How to install: sudo apt install krbrelayx
Dependencies:
- python3
- python3-dnspython
- python3-impacket
- python3-ldap3
krbrelayx
root@kali:~# krbrelayx -h
usage: krbrelayx.py [-h] [-debug] [-t TARGET] [-tf TARGETSFILE] [-w]
[-ip INTERFACE_IP] [-r SMBSERVER] [-l LOOTDIR]
[-f {ccache,kirbi}] [-codec CODEC] [-no-smb2support]
[-wh WPAD_HOST] [-wa WPAD_AUTH_NUM] [-6] [-p PASSWORD]
[-hp HEXPASSWORD] [-s USERNAME] [-hashes LMHASH:NTHASH]
[-aesKey hex key] [-dc-ip ip address] [-e FILE]
[-c COMMAND] [--enum-local-admins] [--no-dump] [--no-da]
[--no-acl] [--no-validate-privs]
[--escalate-user ESCALATE_USER]
[--add-computer [COMPUTERNAME]] [--delegate-access]
[--sid] [--dump-laps] [--dump-gmsa] [--dump-adcs] [--adcs]
[--template TEMPLATE] [--altname ALTNAME] [-v TARGET]
Kerberos relay and unconstrained delegation abuse tool. By @_dirkjan /
dirkjanm.io
Main options:
-h, --help show this help message and exit
-debug Turn DEBUG output ON
-t, --target TARGET Target to attack, since this is Kerberos, only
HOSTNAMES are valid. Example: smb://server:445 If
unspecified, will store tickets for later use.
-tf TARGETSFILE File that contains targets by hostname or full URL,
one per line
-w Watch the target file for changes and update target
list automatically (only valid with -tf)
-ip, --interface-ip INTERFACE_IP
IP address of interface to bind SMB and HTTP servers
-r SMBSERVER Redirect HTTP requests to a file:// path on SMBSERVER
-l, --lootdir LOOTDIR
Loot directory in which gathered loot (TGTs or dumps)
will be stored (default: current directory).
-f, --format {ccache,kirbi}
Format to store tickets in. Valid: ccache (Impacket)
or kirbi (Mimikatz format) default: ccache
-codec CODEC Sets encoding used (codec) from the target's output
(default "utf-8"). If errors are detected, run
chcp.com at the target, map the result with
https://docs.python.org/2.4/lib/standard-
encodings.html and then execute ntlmrelayx.py again
with -codec and the corresponding codec
-no-smb2support Disable SMB2 Support
-wh, --wpad-host WPAD_HOST
Enable serving a WPAD file for Proxy Authentication
attack, setting the proxy host to the one supplied.
-wa, --wpad-auth-num WPAD_AUTH_NUM
Prompt for authentication N times for clients without
MS16-077 installed before serving a WPAD file.
-6, --ipv6 Listen on both IPv6 and IPv4
Kerberos Keys (of your account with unconstrained delegation):
-p, --krbpass PASSWORD
Account password
-hp, --krbhexpass HEXPASSWORD
Hex-encoded password
-s, --krbsalt USERNAME
Case sensitive (!) salt. Used to calculate Kerberos
keys.Only required if specifying password instead of
keys.
-hashes LMHASH:NTHASH
NTLM hashes, format is LMHASH:NTHASH
-aesKey hex key AES key to use for Kerberos Authentication (128 or 256
bits)
-dc-ip ip address IP Address of the domain controller. If ommited it use
the domain part (FQDN) specified in the target
parameter
SMB attack options:
-e FILE File to execute on the target system. If not
specified, hashes will be dumped (secretsdump.py must
be in the same directory)
-c COMMAND Command to execute on target system. If not specified,
hashes will be dumped (secretsdump.py must be in the
same directory).
--enum-local-admins If relayed user is not admin, attempt SAMR lookup to
see who is (only works pre Win 10 Anniversary)
LDAP attack options:
--no-dump Do not attempt to dump LDAP information
--no-da Do not attempt to add a Domain Admin
--no-acl Disable ACL attacks
--no-validate-privs Do not attempt to enumerate privileges, assume
permissions are granted to escalate a user via ACL
attacks
--escalate-user ESCALATE_USER
Escalate privileges of this user instead of creating a
new one
--add-computer [COMPUTERNAME]
Attempt to add a new computer account
--delegate-access Delegate access on relayed computer account to the
specified account
--sid Use a SID to delegate access rather than an account
name
--dump-laps Attempt to dump any LAPS passwords readable by the
user
--dump-gmsa Attempt to dump any gMSA passwords readable by the
user
--dump-adcs Attempt to dump ADCS enrollment services and
certificate templates info
AD CS attack options:
--adcs Enable AD CS relay attack
--template TEMPLATE AD CS template. Defaults to Machine or User whether
relayed account name ends with `$`. Relaying a DC
should require specifying `DomainController`
--altname ALTNAME Subject Alternative Name to use when performing ESC1
or ESC6 attacks.
-v, --victim TARGET Victim username or computername$, to request the
correct certificate name.
Updated on: 2025-Sep-01