A novel attack method leveraging multicast poisoning to execute pre-authenticated Kerberos relay attacks over HTTP.

This technique, detailed by Quentin Roland of Synacktiv, combines legacy weaknesses in local name resolution protocols with advanced authentication relaying tools like Responder and krbrelayx.

The discovery highlights potential vulnerabilities in hardened Active Directory (AD) environments that have shifted away from NTLM authentication.

Kerberos, a widely-used network authentication protocol, has traditionally been considered more secure than NTLM due to its reliance on encrypted tickets and mutual authentication. However, researchers have demonstrated that Kerberos is not immune to relay attacks.

Previous implementations of Kerberos relaying focused on DNS and SMB protocols. The new method introduces HTTP as a vector, exploiting the Link-Local Multicast Name Resolution (LLMNR) protocol to bypass certain security measures.

Are you from SOC/DFIR Teams? - Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

LLMNR allows devices on local networks to resolve hostnames without relying on DNS servers. However, its multicast nature makes it susceptible to poisoning attacks, where an attacker responds to hostname queries with malicious responses.

By combining LLMNR poisoning with Kerberos relaying, attackers can intercept and manipulate authentication traffic.

How the Attack Works

The attack relies on a six-step process:

1. LLMNR Poisoning: The attacker sets up an LLMNR poisoner using tools like Responder. When a client fails to resolve a hostname via DNS, the attacker responds with a spoofed answer.

2. Manipulated DNS Response: The attacker crafts a response where the “answer name” corresponds to the relay target while pointing the query to their machine.

3. Kerberos Authentication Request: The victim’s HTTP client requests a Service Ticket (ST) for the spoofed target.

4. AP-REQ Interception: The attacker captures the victim’s Authentication Protocol Request (AP-REQ), which contains the ST.

5. Relaying Authentication: Using krbrelayx, the attacker forwards the intercepted AP-REQ to the intended target service, impersonating the victim.

6. Privilege Escalation: If successful, the attacker gains unauthorized access to high-value services like Certificate Authorities or management endpoints.

Tools and Implementation

The attack leverages two primary tools:

Responder: A widely-used tool for LLMNR poisoning, now enhanced with functionality to specify arbitrary “answer names” in responses.

krbrelayx: A tool for relaying Kerberos authentication tokens. Recent updates allow it to handle HTTP-based relays effectively.

In a demonstration, researchers used this technique to exploit an AD Certificate Services (ADCS) web enrollment endpoint configured without NTLM support. By relaying Kerberos authentication over HTTP, they successfully obtained a certificate for lateral movement within the domain.

This method offers several advantages:

• It can be performed without prior authentication, making it accessible to unauthenticated attackers.
• It bypasses NTLM restrictions in environments where NTLM relaying is blocked.

However, there are notable limitations:

• The attack requires the victim and attacker to be within the same multicast range.
• LLMNR must be enabled on the network—a setting increasingly disabled in modern environments.
• Integrity protections on target services can thwart the attack by enforcing signing or sealing of authentication traffic.

Mitigation Strategies

To defend against this threat, organizations should:

1. Disable LLMNR and other legacy name resolution protocols like NetBIOS unless strictly necessary.
2. Enforce Extended Protection for Authentication (EPA) on HTTP services.
3. Require encryption and signing for all Kerberos-enabled services.
4. Monitor network traffic for signs of LLMNR poisoning or unusual Kerberos activity using tools like Microsoft Defender or Sentinel.

While Kerberos remains a cornerstone of enterprise security, this research demonstrates that even advanced protocols are not impervious to exploitation when combined with overlooked vulnerabilities like LLMNR poisoning.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar