Cybersecurity researchers have unveiled a groundbreaking technique that allows for Kerberos relaying over HTTP by leveraging multicast poisoning. This innovative method, introduced by James Forshaw and further refined using tools like Responder and krbrelayx, targets local name resolution protocols such as LLMNR to carry out pre-authenticated Kerberos relay attacks.
In environments where NTLM relays are largely mitigated, this new approach opens up a fresh attack path in hardened Active Directory settings. The key weakness exploited by this new vector is how certain HTTP clients derive Service Principal Names (SPNs) during Kerberos authentication.
Compared to established methods like Kerberos relaying over DNS or SMB, this multicast-based technique presents a novel way to achieve unauthorized privilege escalation in enterprise networks. By manipulating LLMNR responses, attackers can redirect client authentication requests to malicious servers, effectively relaying authentication attempts to target systems.
The core of this attack lies in the behavior of HTTP clients like browsers and WebDAV clients, which construct SPNs for Kerberos authentication based on DNS responses. Through the manipulation of LLMNR responses, attackers can trick clients into redirecting authentication requests to their malicious servers, allowing them to relay authentication attempts to their chosen target systems.
The attack process involves setting up an LLMNR poisoner, such as Responder, on the local multicast range. When a victim HTTP client encounters a hostname resolution failure, the attacker responds with a spoofed LLMNR response, tricking the client into requesting a Service Ticket (ST) for a target service like an HTTP server. The attacker then captures and relays the client’s AP-REQ (Authentication Protocol Request) using tools like krbrelayx, potentially leading to privilege escalation or certificate acquisition.
Researchers have successfully implemented this attack using Responder to modify LLMNR answer names and krbrelayx for relaying authentication attempts. In a demonstration, an attacker showcased how this method could be used to gain unauthorized access to an Active Directory Certificate Services (ADCS) Web Enrollment endpoint.
Despite its innovation, this attack has limitations, such as requiring the victim and attacker to be within the same multicast range and relying on LLMNR being enabled within the network. Defensive measures to prevent such attacks include disabling LLMNR and other unnecessary local name resolution protocols, as well as enforcing mutual authentication and integrity protections for Kerberos-enabled services.
This new method highlights how traditional attack surfaces like local name resolution poisoning can be repurposed with modern offensive tools to exploit Kerberos authentication mechanisms. By combining old techniques with advanced relaying strategies, attackers can potentially gain initial footholds in a domain or escalate privileges.
Organizations are advised to remain vigilant and adopt proactive security configurations to address emerging threat vectors like Kerberos relaying over HTTP. Even in hardened Active Directory environments, the persistence of legacy protocols and improper configurations can lead to compromise if not properly addressed.