Active Directory Enum & Attacks - Domain Trusts - Child -> Parent


I am currently stuck at the question “Perform the ExtraSids attack to compromise the parent domain… obtain the NTLM hash for the Domain Admin user bross.”

I used Mimikatz to dump NTLM hashes once I received a shell on the Domain Controller. However, I could not find anything related to bross, just a local Administrator. Is there any different route to receive that particular NTLM hash?

Many thanks!

Hello Rapunzel3000

I’m stuck in the same place but i found the ntlm hash of bross user

but this is not the correct answer for the site … :frowning:

Do you have some hint ? thanks

Sent you a pm!

could be done with mimikatz

I instead used the hash of “administrator” that comes out when running “” and used it with “” to do a DCSync and get the hash of the user “bross”. There are many ways to do it I think.


Hey guys, stuck on this too. I’m completely confused as to what to do? I can get a admin session on the target host but what are we meant todo for bross? they’ve not shown us how to do this before?!

Ah I find workaround.

So I was able to find the hash.

But I’m curious if anyone accomplished this using impacket-secretsdump with -just-dc-user option? I tried many difference variations, but I only end up getting

KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos Database)

I’ve got the ccache file in KRB5CCNAME, and I was able to use psexec with same/similar options.

Update: Nevermind. Figured it out. Had to request another golden ticket. Not sure what happened with the old one.

Thanks bro, this works for me

1 Like

stumped on this question seen a few people mention using but not sure how to use it and format the syntax cant get it to work for me. Been trying to use it from the parrot attack box

need help with this please :expressionless:

Just use -just-dc-ntlm LOGISTICS.INLANEFREIGHT.LOCAL/hacker@academy-ea-dc01.inlanefreight.local -k -no-pass -target-ip Hope this helps and grep for bross user

2 Likes hacker@academy-ea-dc01.inlanefreight.local -k -no-pass -just-dc-ntlm -just-dc-user bross

Wow I way over complicated it. I used at the end of the module and tried stuff from lolbins to copy and read the NTDS.dit file using a couple of different methods. Never got it to work on this but I have used it before. Good knowledge to have in case anyone wants to see how you could it the “living off the land” way using ntdsutil.exe. Link here → Dumping Domain Controller Hashes Locally and Remotely - Red Team Notes