Active Directory Trust Attacks - SID Filter Bypass

bsnun · July 11, 2024, 10:40pm

So, in the Academy module they teach how to request a TGS after crafting a TGT via Golden Ticket Attack with Mimikatz using Kekeo.

I was wondering if there is a way to do it with Rubeus.

I’ve tried supplying the Kirbi file provided in Mimikatz and specifying the DC to logistics with the following command but got error:

.\Rubeus.exe asktgs /ticket:ticket.kirbi /service:cifs/SQL02.logistics.ad@LOGISTICS.AD /dc:DC02.logistics.ad /ptt

v2.2.0

[*] Action: Ask TGS

[] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[] Building TGS-REQ request for: ‘cifs/SQL02.logistics.ad@LOGISTICS.AD’
[*] Using domain controller: DC02.logistics.ad (172.16.118.252)

KRB-ERROR (68) : KDC_ERR_WRONG_REALM

insomnia · July 12, 2024, 1:51am

Hey! Did you try not specifying the DC? Try running the command without /dc to see if Rubeus can find the DC automatically.
.\Rubeus.exe asktgs /ticket:ticket.kirbi /service:cifs/SQL02.logistics.ad@LOGISTICS.AD /ptt

insomnia · July 12, 2024, 1:52am

It could also be a version issue.

bsnun · July 12, 2024, 2:03am

I did. Both returned the same error.

Since it’s a cross-forest attack, I guess not specifying the DC would resort to the current forest/domain DC.

Only Kekeo completed the request.

bsnun · July 12, 2024, 2:04am

I found some older GitHub comments about this, but it was way to older versions.

Topic		Replies	Views
ACTIVE DIRECTORY TRUST ATTACKS [Unconstrained Delegation] Academy academy	6	210	January 9, 2025
Windows Attack & Defense - Golden Ticket Academy windows , kerberos	5	960	August 8, 2024
KERBEROS ATTACKS : Skills Assessment	11	1014	March 3, 2025
Kerberos Attacks - Golden Ticket Academy	1	1483	December 28, 2023
ATTACKING ENTERPRISE NETWORKS - Active Directory Compromise Academy	8	1702	January 17, 2025

Active Directory Trust Attacks - SID Filter Bypass

Related topics