Attacking Domain Trusts
Child->Parents - From Windows
This section showcases a technique to achieve the compromise a parent domain once we compromised a child domain. The technique taught in this section implies the creation of a Golden Ticket by leveraging the sidHistory
attribute.
The sidHistory
attributes refers to the original sid
of an account when this one is migrated from one domain to another. The migration of an account from one domain to another require the creation of a new user. The sidHistory
attributes allows the new account added to the domain to access resources from the former domain he comes from.
In the ExtrasSids attack, a Golden Ticket is created for an existent or fake user. This user will be granted with the sidHistory
attributes corresponding to an administrative group that only exist on the parent domain, the Entreprise Admins group. Members of this group can access any resources in the forest.
Golden Ticket
A Golden Ticket is a TGT forged by the attacker for an existent or fake user. In view of any resources or DC, this TGT is legitimate since it is signed by the hash of the KRBTGT user. The Golden Ticket attack is a persistence/lateral movement technique, since an attacker the hash of the KRBTGT should be known to be able to sign the forged TGT.
Mitigation: The recurring rotation of the KRGTGT account prevent persistence technique such as the Golden Ticket attack.
To operate this attack, an attacker needs these information:
The KRBTGT hash for the child domain.
The SID for the child domain
The name of a target user in the child domain (can be arbitrary and non-existent such as hacker)
The FQDN of the child domain
The SID of the Enterprise Admins group of the root domain.
Step 1: Retrieve the KRBTGT hash
Mimikatz can be used to retrieve the KRGTGT NT hash via a DCSync attack.
Step 2: Retrieve the SID of the child domain
The SID of the child domain can be retrieved in many ways. For example, by using the Powerview command:
Step 3: Retrieve the SID of the Enterprise Admins Groups
We can use Powerview or the the Get-ADGroup cmdlet.
Step 4: Creating a Golden Ticket with Mimikatz
The command below creates a Golden Ticket for the inexistent user hacker. This TGT will be saved in memory on the compromised host.
/sid:
Correspond to the sid of the child domain
/krbtgt:
the NT hash of the KRBTGT user
/sids:
the sid of the Enterprise Admin group.
/ptt:
to perform the pass-the-ticket attack
Step 5: Verifying our access
To verify that the forged TGT is in memory
To verify that we can access to the share located on the parent domain
Alternative using Rubeus
Rubeus can also be used to create a Golden Ticket.
/rc4:
corresponds to the KRBTGT hash
/sid:
Child domain's SID
/sids:
Enterprise Admin group's SID
Step 6: Performing a DCSync attack
To demonstrate our ownership of the parent domain, we can perform a DCSync attack against the parent domain controller.
In the command below, we are targeting the lab_adm
user which is a domain administrator.
Child ->Parents - From Linux
The same Golden ticket attack from above can be performed from a Linux attack box. The same objective is pursued which is to compromise the parent domain from a compromised child domain. The exact same steps are performed, but with a different set of tooling.
Step 1: Obtaining the KRBTGT NT hash
From a Linux attack host, we can use the script secretdump.py to retrieve the KRBTGT hash. This attack assumes that we already compromised the child domain, so the KRBTGT hash can be retrieved.
Step 2: Obtaining the child domain and Enterprise Admin group SIDs
Use the tool lookupsid.py
from Impacket to get the child domain SID.
In the command below, 172.16.5.240 is the DC IP (in the child domain):
We can perform the same command again, but this time targeting the DC of the parent domain to get the Enterprise Admin group SID.
Step 3: Forge the Golden Ticket
The script ticketer.py
from Impacket can be used to forge a Golden ticket that will grant our (fake) user access to resources in both the child and parent domain. The ticket will be saved in the .ccache
format.
In the command below, the -domain-sid
flag corresponds to the child domain SID while the -extra-sid
match the Enterprise Admin's SID. hacker is the fake user to forge the Golden ticket to.
We can export the KRB5CCNAME environment variable to the .ccache file created.
Step 4: Getting a System Shell
Psexec.py can be used to get a system shell on the Parent Domain DC.
Automation
All the steps above can be automated using the raiseChild.py script. In the command below, 172.16.5.5 corresponds to the Parent domain DC. The htb_student_adm
is an administrative user in the child domain. The password for that user is known. The result of this command is a SYSTEM shell on the 172.16.5.5 host.
Last updated