Active Directory Enum & Attacks - Domain Trusts - Child -> Parent

Rapunzel3000 · June 24, 2022, 7:53pm

Hello,

I am currently stuck at the question “Perform the ExtraSids attack to compromise the parent domain… obtain the NTLM hash for the Domain Admin user bross.”

I used Mimikatz to dump NTLM hashes once I received a shell on the Domain Controller. However, I could not find anything related to bross, just a local Administrator. Is there any different route to receive that particular NTLM hash?

Many thanks!

sbeug · July 18, 2022, 12:04pm

Hello Rapunzel3000

I’m stuck in the same place but i found the ntlm hash of bross user

but this is not the correct answer for the site …

Do you have some hint ? thanks

Rapunzel3000 · July 18, 2022, 12:24pm

Sent you a pm!

San · October 10, 2022, 9:54am

could be done with mimikatz

Ezi0 · November 8, 2022, 8:25pm

I instead used the hash of “administrator” that comes out when running “raiseChild.py” and used it with “secretsdump.py” to do a DCSync and get the hash of the user “bross”. There are many ways to do it I think.

cheekychimp · December 11, 2022, 8:42pm

Hey guys, stuck on this too. I’m completely confused as to what to do? I can get a admin session on the target host but what are we meant todo for bross? they’ve not shown us how to do this before?!

cheekychimp · December 11, 2022, 8:59pm

Ah I find workaround.

GuyKazuya · January 3, 2023, 5:27am

So I was able to find the hash.

But I’m curious if anyone accomplished this using impacket-secretsdump with -just-dc-user option? I tried many difference variations, but I only end up getting

KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos Database)

I’ve got the ccache file in KRB5CCNAME, and I was able to use psexec with same/similar options.

Update: Nevermind. Figured it out. Had to request another golden ticket. Not sure what happened with the old one.

Mr_Pachin · January 26, 2023, 8:19pm

Thanks bro, this works for me

truthreaper · January 28, 2023, 4:06am

stumped on this question seen a few people mention using secretsdump.py but not sure how to use it and format the syntax cant get it to work for me. Been trying to use it from the parrot attack box

hx1 · February 26, 2023, 9:45pm

need help with this please

Luiy · March 13, 2023, 2:37pm

Just use Secretdumps.py -just-dc-ntlm LOGISTICS.INLANEFREIGHT.LOCAL/hacker@academy-ea-dc01.inlanefreight.local -k -no-pass -target-ip 172.16.5.5 Hope this helps and grep for bross user

DGM · April 17, 2023, 9:50pm

secretsdump.py hacker@academy-ea-dc01.inlanefreight.local -k -no-pass -just-dc-ntlm -just-dc-user bross

jtl5087 · May 24, 2023, 11:04pm

Wow I way over complicated it. I used raisechild.py at the end of the module and tried stuff from lolbins to copy and read the NTDS.dit file using a couple of different methods. Never got it to work on this but I have used it before. Good knowledge to have in case anyone wants to see how you could it the “living off the land” way using ntdsutil.exe. Link here → Dumping Domain Controller Hashes Locally and Remotely - Red Team Notes