raisechild: Fix parent domain DCSync via DRS RPC over TCP

[kathan3009]

Please Describe The Problem To Be Solved
The raisechild module fails when DCSyncing the parent domain after forging a golden ticket. It uses SMB + getKerberosTGS for cifs/parent_dc_host. When the child KDC returns a referral to the parent realm, Impacket does not follow Kerberos referrals, causing KDC_ERR_WRONG_REALM and parent DCSync never completes.

In scope:

• Fix parent domain DCSync when using a forged golden ticket from the child domain
• Output credentials in Impacket-style format (e.g. domain/user:rid:lmhash:nthash:::)
• Support krbtgt and target user (e.g. Administrator) credential retrieval from the parent

Out of scope:

• Changes to Impacket’s Kerberos referral handling
• Other modules or protocols

Solution
Use DRS RPC over TCP (ncacn_ip_tcp) to talk to the parent DC, matching Impacket’s raiseChild.py flow, instead of SMB + Kerberos TGS.

Technical implementation:

• Transport: Use epm.hept_map() to resolve the DRS binding and transport.DCERPCTransportFactory(stringBinding) with ncacn_ip_tcp instead of SMB.
• Auth: Use TGT-only auth: rpc.set_credentials(..., TGT=creds['TGT']) and rpc.set_kerberos(True), without requesting a TGS for CIFS.
• DRS flow: DRSBind → hDRSDomainControllerInfo → DRSCrackNames → DRSGetNCChanges → decrypt hashes and supplemental credentials via DecryptAttributeValue, removeDESLayer, and parsing supplementalCredentials for AES keys.
• Attribute lookup: Use two lookup tables as in Impacket: OID strings (e.g. '1.2.840.113556.1.4.55') for OidFromAttid results and MakeAttid, and numeric IDs (e.g. 0x90037) as fallback when OidFromAttid fails. Previously only numeric IDs were used, so attribute matching failed when OidFromAttid returned OID strings.

Tradeoffs:

• Child domain DCSync (for krbtgt hash) stays on the existing SMB/secretsdump path; only parent DCSync uses DRS over TCP.
• Parent DC must be reachable on the DRS RPC port (EPM 135, then dynamic).

Caveats:

• DNS resolution for the parent domain must work.
• Firewall must allow RPC to the parent DC.

Relationship to Issue 1: Issue 1 ensures users with DCSync rights are treated as admins and can run raisechild. This issue fixes parent DCSync so that once the golden ticket is forged, parent krbtgt and target user hashes can be retrieved successfully.

[NeffIsBack]

Hi ans thanks for the bug report. This is AI generated as well right?

[kathan3009]

Hey,

Thank you for writing back, I did use use AI to write the issue ticket in to a particular format but the feature request I made was identified while I was testing out AD misconfiguration on GOAD.

This is a follow up feature update where in with the current implementation and the update I made in the first issue, we could get the Administrator.ccache file but like how raisechild work we were not able to credential retrieval from the parent after successful execution.

It is one of my first time submitting a major change, do let me know if you want me to re-submit the issue.

[NeffIsBack]

I did use use AI to write the issue ticket in to a particular format but the feature request I made was identified while I was testing out AD misconfiguration on GOAD.

As said in #1107, please don't. This looks like an issue with the module if you were not able to escalate to the parent domain. Please use the bug report template and describe the problem you are having. This module should work in the GOAD lab, see #792