![]() This enables the TGT to be used throughout the domain and presented to any DC in the domain. Kerberos communication within a domain is pretty straightforward – the domain Kerberos service account is used to sign and encrypt every authentication ticket (TGT). Update : I updated the screenshots to accurately show how the intra-forest trust is exploited using the current version of Mimikatz. I also presented at Black Hat USA 2015 how I enabled Golden Tickets to work across domains in the same forest (aka Enhanced Golden Tickets). This trust password is also used as the shared secret in Kerberos. ![]() When there are two Active Directory domains connected via trust, there is a password which is shared between them used to keep the trust active. Simply put, Trust Tickets are forged inter-realm Kerberos tickets. I presented on “Trust Tickets” at Shakacon in Hawaii last week. The key to the power of a Kerberos Trust Ticket within a multi-domain Active Directory forest is Enterprise Admins membership which easily crosses domain boundaries providing effective Domain Admin rights in every domain in the AD forest. Note that forging a Kerberos Trust Ticket is similar to forging a Golden Ticket or a Silver Ticket. With the tools enabling further research, I was able to explore what is possible with forged cross-trust Kerberos tickets. Benjamin Delpy added “ Kekeo” to Github which includes “AskTGS” which provides the capability to request TGS service tickets for targeted services in the destination domain and save them to file. ![]() Soon after, Mimikatz gained capability to forge inter-realm trust tickets. Around the same time, Benjamin Delpy updated Mimikatz to dump trust keys from a Domain Controller. In early 2015, I theorized that it’s possible to forge inter-realm (inter-trust) Kerberos tickets in a similar manner to how intra-domain TGTs (Golden Tickets) and TGSs (Silver Tickets) are forged.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |