Active Directory Enum & Attacks - Domain Trusts - Child -> Parent


I am currently stuck at the question “Perform the ExtraSids attack to compromise the parent domain… obtain the NTLM hash for the Domain Admin user bross.”

I used Mimikatz to dump NTLM hashes once I received a shell on the Domain Controller. However, I could not find anything related to bross, just a local Administrator. Is there any different route to receive that particular NTLM hash?

Many thanks!

Hello Rapunzel3000

I’m stuck in the same place but i found the ntlm hash of bross user

but this is not the correct answer for the site … :frowning:

Do you have some hint ? thanks

Sent you a pm!

could be done with mimikatz

I instead used the hash of “administrator” that comes out when running “” and used it with “” to do a DCSync and get the hash of the user “bross”. There are many ways to do it I think.


Hey guys, stuck on this too. I’m completely confused as to what to do? I can get a admin session on the target host but what are we meant todo for bross? they’ve not shown us how to do this before?!

Ah I find workaround.

So I was able to find the hash.

But I’m curious if anyone accomplished this using impacket-secretsdump with -just-dc-user option? I tried many difference variations, but I only end up getting

KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos Database)

I’ve got the ccache file in KRB5CCNAME, and I was able to use psexec with same/similar options.

Update: Nevermind. Figured it out. Had to request another golden ticket. Not sure what happened with the old one.

Thanks bro, this works for me

1 Like

stumped on this question seen a few people mention using but not sure how to use it and format the syntax cant get it to work for me. Been trying to use it from the parrot attack box

need help with this please :expressionless:

1 Like

Just use -just-dc-ntlm LOGISTICS.INLANEFREIGHT.LOCAL/hacker@academy-ea-dc01.inlanefreight.local -k -no-pass -target-ip Hope this helps and grep for bross user

3 Likes hacker@academy-ea-dc01.inlanefreight.local -k -no-pass -just-dc-ntlm -just-dc-user bross


Wow I way over complicated it. I used at the end of the module and tried stuff from lolbins to copy and read the NTDS.dit file using a couple of different methods. Never got it to work on this but I have used it before. Good knowledge to have in case anyone wants to see how you could it the “living off the land” way using ntdsutil.exe. Link here → Dumping Domain Controller Hashes Locally and Remotely - Red Team Notes

Thanks you safe my day


Ok Im doing the Windows version of this module and when trying to get the NT hash for krbtgt with mimikatz, I keep getting this error. Ive tried adding the /domain flag etc and nothing seems to work. Anyone have any ideas on this error?

mimikatz # lsadump::dcsync /user:logistics\krbtgt
[DC] ‘logistics\krbtgt’ will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439)

I have even tried using a different mimikatz binary but I get the same error?? WTF? Is there another way to get the krbtgt NT hash without mimikatz?? Google didnt help either

Ok so I had to use impacket-secretsdump from a linux host to get the krbtgt nt hash. Still stumped on why mimikatz is not working on academy-ea-dc02.logistics.inlanefreight.local???

If i remember correctly i skipped that mimikatz command. I just copied and pasted the mimikatz command that creates the golden ticket and ran it and it worked.

1 Like

Good point, I guess that would’ve been the easy thing to do but it takes the fun out of it you know?. Besides I always assume that I will get different hashes and info while connecting to lab instances so I don’t like to rely on the copy and paste thing from the examples.

1 Like