search

πŸͺŸAttacking Domain Trusts From Windows

hashtag
SID History

domain,The sidHistory is used in migration scenarios. If a user in one domain is migrated to another domain a new account is created in the second domain. The original user's SID will added to the new user's SID history attribute ensuring that the user can access the original domain still.

It is intended to work across all domain but can work in the same domain. We can use Mimikatz to perform SID history inject and add admin accounts to the SID history attribute of an account they control.

hashtag
ExtraSids Attack β€” MimiKatz

This allows for the compromise of a parent domain once the child domain has been compromised. Within the same AD forst the sidHiostory property is respected due to a lack of SID filtering protection.

To perform this attack after compromising a child domain, we need the following:

  • The KRBTGT hash for the child domain

  • The SID for the child domain

  • The name of a target user in the child domain (does not need to exist!)

  • The FQDN of the child domain.

  • The SID of the Enterprise Admins group of the root domain.

  • With this data collected, the attack can be performed with Mimikatz.

hashtag
Obtaining the KRBTGT Account's NT Hash

We need to obtain the NT hash for the KRBTGT account which a service account for the Key Distribution Center (KDC) in AD. If we have compromised the child domain we can login as a Domain Admin and perform the DCSysnc attack. 

mimikatz # lsadump::dcsync /user:LOGISTICS\krbtgt
[DC] 'LOGISTICS.INLANEFREIGHT.LOCAL' will be the domain
[DC] 'ACADEMY-EA-DC02.LOGISTICS.INLANEFREIGHT.LOCAL' will be the DC server
[DC] 'LOGISTICS\krbtgt' will be the user account
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN           : krbtgt

** SAM ACCOUNT **

SAM Username         : krbtgt
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration   :
Password last change : 11/1/2021 11:21:33 AM
Object Security ID   : S-1-5-21-2806153819-209893948-922872689-502
Object Relative ID   : 502

Credentials:
  Hash NTLM: 9d765b482771505cbe97411065964d5f
    ntlm- 0: 9d765b482771505cbe97411065964d5f
    lm  - 0: 69df324191d4a80f0ed100c10f20561e

hashtag
Using Get-DomainSID

Gets the SID for the child domain with PowerView

hashtag
Obtaining Enterprise Admins Group's SID using Get-DomainGroup

We can obtain the SID for the Enterprise Admins group in the parent domain.

hashtag
Data Points So Far

  • The KRBTGT hash for the child domain

  • The SID for the child domain

  • The name of a target user. We can use a fake user to create our Golden Ticket.

  • The FQDN of the child domain

  • The SID of the Enterprise Admins Group of the root domain

hashtag
Using ls to Confirm No Access

hashtag
Creating a Golden Ticket with Mimikatz

hashtag
Confirming Ticket is in Memory

We confirm that Kerberos Ticket for the new non-existent user is in memory

hashtag
Lisiting the Entire C: Drive of the DC

hashtag
ExtraSids Attack β€” Rubeus

We can also use Rubeus to perform the same attack. We first check like before to see if we get "No Access" before running Rubeus.

hashtag
Creating a Golden Ticket Using Rubeus

We next run Rubeus with the /rc4 flag and pass the NT hash and then use the /sids flag to pass the sids for the account

hashtag
Confirming the Ticket is in Memory using klist

We once again check to see if the ticket is in memory

hashtag
Performing a DCSync Attack

Finally, we can run the DCSync attack against the parent domain, target the lad_adm Domain Admin user in this case

If we're dealing with multiple domain and our target domain is not the same as the user's domain, then we will need to specify the exact domain to perform the DCSync attack. We can do this with the /domain flag.

PreviousDomain TrustsNextAttacking Domain Trusts From Linux

Last updated