A novel attack method leveraging multicast poisoning to execute pre-authenticated Kerberos relay attacks over HTTP.
This technique, detailed by Quentin Roland of Synacktiv, combines legacy weaknesses in local name resolution protocols with advanced authentication relaying tools like Responder and krbrelayx.
The discovery highlights potential vulnerabilities in hardened Active Directory (AD) environments that have shifted away from NTLM authentication.
Kerberos, a widely-used network authentication protocol, has traditionally been considered more secure than NTLM due to its reliance on encrypted tickets and mutual authentication. However, researchers have demonstrated that Kerberos is not immune to relay attacks.
Previous implementations of Kerberos relaying focused on DNS and SMB protocols. The new method introduces HTTP as a vector, exploiting the Link-Local Multicast Name Resolution (LLMNR) protocol to bypass certain security measures.
Are you from SOC/DFIR Teams? - Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free
LLMNR allows devices on local networks to resolve hostnames without relying on DNS servers. However, its multicast nature makes it susceptible to poisoning attacks, where an attacker responds to hostname queries with malicious responses.
By combining LLMNR poisoning with Kerberos relaying, attackers can intercept and manipulate authentication traffic.
The attack relies on a six-step process:
1. LLMNR Poisoning: The attacker sets up an LLMNR poisoner using tools like Responder. When a client fails to resolve a hostname via DNS, the attacker responds with a spoofed answer.
2. Manipulated DNS Response: The attacker crafts a response where the “answer name” corresponds to the relay target while pointing the query to their machine.
3. Kerberos Authentication Request: The victim’s HTTP client requests a Service Ticket (ST) for the spoofed target.
4. AP-REQ Interception: The attacker captures the victim’s Authentication Protocol Request (AP-REQ), which contains the ST.
5. Relaying Authentication: Using krbrelayx, the attacker forwards the intercepted AP-REQ to the intended target service, impersonating the victim.
6. Privilege Escalation: If successful, the attacker gains unauthorized access to high-value services like Certificate Authorities or management endpoints.
The attack leverages two primary tools:
Responder: A widely-used tool for LLMNR poisoning, now enhanced with functionality to specify arbitrary “answer names” in responses.
krbrelayx: A tool for relaying Kerberos authentication tokens. Recent updates allow it to handle HTTP-based relays effectively.
In a demonstration, researchers used this technique to exploit an AD Certificate Services (ADCS) web enrollment endpoint configured without NTLM support. By relaying Kerberos authentication over HTTP, they successfully obtained a certificate for lateral movement within the domain.
This method offers several advantages:
However, there are notable limitations:
To defend against this threat, organizations should:
While Kerberos remains a cornerstone of enterprise security, this research demonstrates that even advanced protocols are not impervious to exploitation when combined with overlooked vulnerabilities like LLMNR poisoning.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar