Windows SMB Server Elevation of Privilege via Kerberos Reflection

This repository is a standalone Python exploit for CVE-2026-26128, described as Kerberos reflection via a Unicode SPN bypass in Windows Active Directory. The main entry point is CVE-2026-26128.py, which orchestrates the full attack chain: parse operator credentials and target parameters, derive a crafted Unicode hostname from the chosen target, add that hostname as an AD-integrated DNS A record via LDAP, wait for propagation, start a local SMB relay server on port 445, and then trigger coerced authentication from the victim/DC using either PetitPotam (EFSRPC) or DFSCoerce (DFSNM). When the coerced Kerberos authentication reaches the attacker SMB listener, the code extracts the AP-REQ/SPN and relays it to a configured target service. Repository structure is modular. lib/dns contains LDAP-based ADIDNS management used to add/remove the malicious DNS record. lib/coerce contains the coercion primitives: petitpotam.py triggers EFSRPC-based UNC access to \\<listener>\test\Settings.ini, and dfscoerce.py triggers DFSNM-based coercion over \\PIPE\netdfs. lib/servers contains the relay listeners, especially smbrelayserver.py, which implements the SMB listener and includes Unicode normalization logic to match the relayed SPN hostname back to the intended target. httprelayserver.py provides HTTP/WebDAV relay handling. lib/clients contains protocol relay clients for HTTP/HTTPS and MSSQL. The HTTP client relays Kerberos to web targets such as AD CS Web Enrollment; the MSSQL client performs Kerberos-authenticated TDS login and supports execution of operator-supplied SQL queries through ntlmrelayx attack plumbing. lib/utils contains configuration and Kerberos/SPNEGO parsing helpers. Primary exploit capability is Kerberos relay enabled by a Unicode hostname confusion trick: the tool registers a Unicode lookalike DNS name that resolves to the attacker, causing the target/DC to request a service ticket and connect to the attacker-controlled SMB service. The SMB relay server then forwards the Kerberos authentication to a chosen target. For AD CS targets, the expected result is issuance of a machine certificate saved as a .pfx file, after which the tool prints a gettgtpkinit.py command to obtain a TGT via PKINIT. For MSSQL targets, the exploit can authenticate and run arbitrary SQL queries provided with -q/--query. This is clearly exploit code rather than a detector, and it is operational because it contains end-to-end attack logic and usable payload actions, though payload customization is relatively basic and not embedded in a larger exploitation framework.