search

26. Attacking Domain Trusts - Child - Parent Trusts - from Linux

I. Prerequisites

To perform this attack, the following information is required:

  • KRBTGT hash for the child domain.

  • SID for the child domain.

  • Target user name (can be non-existent).

  • FQDN of the child domain.

  • SID of the Enterprise Admins group of the root domain.

II. Steps

hashtag
1. Obtain KRBTGT hash

Use secretsdump.py from Impacket.

Command:

secretsdump.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 -just-dc-user LOGISTICS/krbtgt

hashtag
2. Obtain SID for child domain

Use lookupsid.py from Impacket.

Commands:

lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240

Filter to get only the Domain SID:

hashtag
3. Obtain SID for Enterprise Admins group

Use lookupsid.py targeting the parent domain's DC.

Command:

hashtag
4. Construct Golden Ticket

Use ticketer.py from Impacket.

Command:

hashtag
5. Set KRB5CCNAME environment variable

Command:

hashtag
6. Gain SYSTEM shell on parent domain DC

Use psexec.py from Impacket.

Command:

hashtag
7. Automate with raiseChild.py

Command:

III. Important Considerations

  • raiseChild.py automates the process, but understanding the manual steps is crucial for troubleshooting.

  • Using "autopwn" scripts in client environments requires caution.

  • A thorough understanding of the underlying tools is paramount.

  • Impacket is a powerful suite of tools that should be used responsibly.

Previous25.Attacking Domain Trusts - Child - Parent Trusts - from WindowsNext10.Breaking Down Boundaries

Last updated