[request] Cross-domain authentication with Kerberos #6
Description
As far as I could check, adauth can currently perform cross-domain authentication with NTLM only, by changing the target DC. An interesting feature that could allow for the development of more tools on top of adauth would be to support referral tickets.
As described in the classic A Guide to Attacking Domain Trusts, and also in many impacket issues that dealt with this sort of issue in the past, the way to authenticate into domain B using an user from domain A (when a proper trust is in place) is to issue a referral ticket first.
For reference, I believe something like this should be the "expected flow" (represented as a sequence of impacket commands, where domain A = creta.local and domain B = draco.local):
- Generate a referral ticket
KRB5CCNAME=joao_couves.ccache python3 getST.py -k -spn krbtgt/draco.local@creta.local creta.local/joao_couves -no-pass
- Use the referral ticket to generate a proper service ticket for the target
KRB5CCNAME=referral.ccache python3 getST.py -k -no-pass draco.local/creta.local -spn ldap/dc01.draco.local
- Use the service ticket
I haven't thought of a good way of integrating this sort of flow into adauth, but in theory an implementation using the methods from gssapi.go should be possible (at least for LDAP).