Exploitationkerberosrelaydelegationactive directoryldapsmbadcs

krbrelayx

Kerberos relaying and unconstrained delegation abuse toolkit. This tool can add/remove/modify Service Principal Names on accounts in AD over LDAP.

Description

krbrelayx is a Kerberos relay and unconstrained delegation abuse tool designed for attacking Active Directory environments. It enables relaying Kerberos authentication to perform various attacks including SMB execution, LDAP modifications, and AD CS certificate abuse. The toolkit supports watching target files for dynamic updates and storing tickets for later use.

Use cases include compromising domain controllers, escalating privileges via unconstrained delegation, dumping hashes with secretsdump.py, enumerating local admins, and performing ACL attacks on LDAP. It integrates with tools like addspn for SPN management and dnstool for DNS record manipulation in AD-integrated DNS.

The tool requires Python dependencies such as impacket, ldap3, and dnspython, and is part of a broader suite including printerbug for printer spooler exploits. It targets hostnames specifically due to Kerberos requirements.

How It Works

krbrelayx performs Kerberos ticket relaying by intercepting authentication attempts and redirecting them to specified targets over SMB, LDAP, or AD CS protocols. For unconstrained delegation abuse, it uses provided Kerberos keys (password, hex password, salt) to impersonate accounts. On relay success, it executes commands, dumps hashes via secretsdump.py, adds Domain Admins, modifies ACLs, or requests certificates using ESC1/ESC6 techniques with custom templates and altNames. LDAP operations add/remove/modify SPNs, while SMB options enable command execution or local admin enumeration via SAMR lookups.

Installation

bash
sudo apt install krbrelayx

Flags

-debugTurn DEBUG output ON
-t, --target TARGETTarget to attack, since this is Kerberos, only HOSTNAMES are valid. Example: smb://server:445 If unspecified, will store tickets for later use.
-tf TARGETSFILEFile that contains targets by hostname or full URL, one per line
-wWatch the target file for changes and update target list automatically (only valid with -tf)
-p, --krbpass PASSWORDAccount password
-hp, --krbhexpass HEXPASSWORDHex-encoded password
-s, --krbsalt USERNAMECase sensitive (!) salt. Used to calculate Kerberos keys. Only required if specifying password instead of keys.
-e FILEFile to execute on the target system. If not specified, hashes will be dumped (secretsdump.py must be in the same directory)
-c COMMANDCommand to execute on target system. If not specified, hashes will be dumped (secretsdump.py must be in the same directory).
--enum-local-adminsIf relayed user is not admin, attempt SAMR lookup to see who is (only works pre Win 10 Anniversary)
--no-dumpDo not attempt to dump LDAP information
--no-daDo not attempt to add a Domain Admin
--no-aclDisable ACL attacks
--no-validate-privsDo not attempt to enumerate privileges, assume permissions are granted to escalate a user via ACL attacks
--escalate-user ESCALATE_USEREscalate privileges of this user instead of creating a
--adcsEnable AD CS relay attack
--template TEMPLATEAD CS template. Defaults to Machine or User whether relayed account name ends with `$`. Relaying a DC should require specifying `DomainController`
--altname ALTNAMESubject Alternative Name to use when performing ESC1 or ESC6 attacks.
-v, --victim TARGETVictim username or computername$, to request the correct certificate name.

Examples

Show help message and usage for krbrelayx
krbrelayx -h
Relay to specific SMB target hostname
krbrelayx.py -t smb://server:445
Use file containing list of targets by hostname or full URL
krbrelayx.py -tf targets.txt
Watch target file for changes and update list automatically
krbrelayx.py -tf targets.txt -w
Use account password and salt for Kerberos keys in unconstrained delegation abuse
krbrelayx.py -p password -s username
Execute specified file on target and dump hashes if secretsdump.py is present
krbrelayx.py -e file.txt
Execute command on target system
krbrelayx.py -c 'whoami'
Enable AD CS relay attack with specified template for DC relaying
krbrelayx.py --adcs --template DomainController
Updated 2026-04-16kali.org ↗