It’s a tool to interact with remote hosts using the Windows Search Protocol and coerce authentication. The target host will connect over SMB to the listener host using the machine account.
What can I do with this?
- Relay the authentication from the target to another system (if SMB signing is disabled)
- Obtain the TGT of the target (if coercing to a system where unconstrained delegation is enabled)
What are the requirements?
- Must be running in the context of a domain user (no specific privileges required on target system AFAIK)
- 445/TCP open on the target system
- 445/TCP open on the listener system
- Windows Search Service running on the target system
Note: The Windows Search Service is NOT enabled by default on Windows Server so in practice this attack is only effective against Windows workstations.
Christin
Hello There. I found your blog using msn. This is a really well written article.
I will make sure to bookmark it dedicated team services and come back to read more of your
useful info. Thanks for the post. I’ll definitely comeback.
Prapattimynk
Thank you sir 🙏