Trusts
Trust Flow
The Diagram below shows how Client from trusted domain can ask for access to other Domain's service.
We can see that in order to allow access to the service hosted on Domain B, a TGT is returned within a TGS-REP signed with the Inter-Realm Trust Key.
Exploitation
It is possible to exploit the TGS REQ (marked red in the diagram above) by forging new TGT using the trust key.
Get the trust key
The trust key is required to forge the Inter-Realm TGT.
Forge the Inter-Realm TGT
Note that krbtgt can be used instead of the trust key.
Options | |
---|---|
FQDN of the current domain | |
SID of the current domain | |
SID to be injected to the SID history | |
RC4 of the trust key | |
krbtgt hash can be used instead of the Trust Key | |
User to impersonate | |
Target service in the parent domain | |
FQDN of the parent domain | |
Path to save the ticket |
Request the TGS and pass it
Last updated