Using Trust Tickets
Child to Parent using Trust Tickets
We will extract the trust key, and then forge an inter-realm TGT where we inject a SID History of Enterprise Admin.
To extract trust tickets, look for [In] trust key from child to parent.
OR run DCSync to extract
OR extract all the secrets from DC
Now, we can forge the inter-realm TGT using the trust key obtained. Note: Unless, explicitly specified, across trusts (within or across forests), AES is not supported. RC4 is supported.
Now we can request a TGS from parent DC to access a service (CIFS) on DC on the parent root DC.
We can now access forest root DC.
Last updated