TRUST BASED DOMAIN ATTACKS
USING TRUST KEY
We need Domain Admin privileges to extract trust key and perform attacks across domains with trust
To get the domain trust key using Mimikatz
Create a Inter-Realm TGT for the target domain
For specific roles the RID will change. Some important RIDs are,
Enterprise Admins - 519
Schema Admins - 518
Domain Admins - 512
Requesting a TGS from target domain using Inter-Realm TGT for Target Domain's DC
Presenting the TGS to the service
Or we can use Rubeus to request and present the TGS from TGT
USING KRBTGT HASH
Instead of Domain Trust Key, we are using krbtgt hash to request a TGT
Create a Inter-Realm TGT for the target domain
Executing Pass The Ticket attack with the saved TGT
Try accessing WMI queries, If WMI query output displays
You can use HOST protocol also
Try spawning reverse shell via scheduled tasks
Last updated