gjhami
commented
9 months ago Update: I was able to find some additional info.
Microsoft's Kerberos Technical Supplement For Windows indicates LDAP does map to the HOST service:
When a new computer account is created in Active Directory, host-based SPNs are automatically generated for built-in services. Examples of these services include HOST, LDAP, and HTTP. In reality, SPNs are only created for the HOST service and all built-in services use the HOST SPN. However, this implementation is transparent because built-in names act as an alias to the HOST service unless they have been specifically mapped to a Windows account.
While an ADSecurity page does not include LDAP in the list of services automatically mapped to the HOST service. However, it does list the CIFS service, indicating relaying DNS or HTTP authentication to SMB to perform a secretsdump or other operations is possible.
Overall, there appears to be some conflicting information around LDAP and would love clarification if you have it.
Update: Adding some additional detail based on testing with a Windows Server 2016 instance. My results matched those on the ADSecurity page linked earlier, indicating LDAP/LDAPS does not map to the HOST service class. However, several others that are interesting relay targets do map to the HOST service class: rpc / rpclocator / dcom, CIFS, and DNS (for record takeover to setup additional relaying) look to have the most potential as targets.
I wanted to say first this is a great tool, I use it all the time, and I appreciate all the work and research that went into it!
Overall, my question is about whether it's possible to relay DNS, HTTP, or other authentication that maps implicitly to the HOST class to high value services that also map to the HOST class (ideally LDAP or SMB if they do) and don't require signing by modifying the value of the client's integrity flag.
My question harkens back to a couple statements you made in part two of your Kerberos relaying articles:
Part 1: Is it possible to relay any service that maps to the HOST class to services where signing is optional (again I'm thinking LDAP and SMB) by sniffing, modifying, and relaying traffic between a victim and a target and specifically modifying the value of the integrity flag so the client is not requesting signing? This is my understanding of what Krbjack is doing here: https://github.com/almandin/krbjack/blob/d4bdd9a3b61303eda5dbc614f3448a8b469c0e53/krbjack/tcpforward.py#L37
Part 2: You say in your article 'many' services map to the HOST class. Do you know of a list of services that do this? I'm wondering specifically about those with obvious attacks that lead to privilege escalation (like SMB or LDAP) but also others. I couldn't find a list of all the services that map to the HOST class anywhere, including in the referenced project zero articles.
If my understanding is correct and there are high value services that map to the HOST class and don't require signing by default, then relaying to these services is a feature I would like to see and would do my best to help implement. Thanks!