Attacking Domain Trusts - Child -> Parent Trusts - from Linux

We can also perform the attack shown in the previous section from a Linux attack host. To do so, we'll still need to gather the same bits of information:

• The KRBTGT hash for the child domain

• The SID for the child domain

• The name of a target user in the child domain (does not need to exist!)

• The FQDN of the child domain

• The SID of the Enterprise Admins group of the root domain

Once we have complete control of the child domain, LOGISTICS.INLANEFREIGHT.LOCAL, we can use secretsdump.py to DCSync and grab the NTLM hash for the KRBTGT account.

Performing DCSync with secretsdump.py

[!bash!]$ secretsdump.py logistics.inlanefreight.local/[email protected] -just-dc-user LOGISTICS/krbtgt

Impacket v0.9.25.dev1+20220311.121550.1271d369 - Copyright 2021 SecureAuth Corporation

Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9d765b482771505cbe97411065964d5f:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:d9a2d6659c2a182bc93913bbfa90ecbead94d49dad64d23996724390cb833fb8
krbtgt:aes128-cts-hmac-sha1-96:ca289e175c372cebd18083983f88c03e
krbtgt:des-cbc-md5:fee04c3d026d7538
[*] Cleaning up...

Next, we can use lookupsid.py from the Impacket toolkit to perform SID brute forcing to find the SID of the child domain. In this command, whatever we specify for the IP address (the IP of the domain controller in the child domain) will become the target domain for a SID lookup. The tool will give us back the SID for the domain and the RIDs for each user and group that could be used to create their SID in the format DOMAIN_SID-RID. For example, from the output below, we can see that the SID of the lab_adm user would be S-1-5-21-2806153819-209893948-922872689-1001.

Performing SID Brute Forcing using lookupsid.py

We can filter out the noise by piping the command output to grep and looking for just the domain SID.

Looking for the Domain SID

Next, we can rerun the command, targeting the INLANEFREIGHT Domain Controller (DC01) at 172.16.5.5 and grab the domain SID S-1-5-21-3842939050-3880317879-2865463114 and attach the RID of the Enterprise Admins group. Here is a handy list of well-known SIDs.

Grabbing the Domain SID & Attaching to Enterprise Admin's RID

We have gathered the following data points to construct the command for our attack. Once again, we will use the non-existent user hacker to forge our Golden Ticket.

• The KRBTGT hash for the child domain: 9d765b482771505cbe97411065964d5f

• The SID for the child domain: S-1-5-21-2806153819-209893948-922872689

• The name of a target user in the child domain (does not need to exist!): hacker

• The FQDN of the child domain: LOGISTICS.INLANEFREIGHT.LOCAL

• The SID of the Enterprise Admins group of the root domain: S-1-5-21-3842939050-3880317879-2865463114-519

Next, we can use ticketer.py from the Impacket toolkit to construct a Golden Ticket. This ticket will be valid to access resources in the child domain (specified by -domain-sid) and the parent domain (specified by -extra-sid).

Constructing a Golden Ticket using ticketer.py

The ticket will be saved down to our system as a credential cache (ccache) file, which is a file used to hold Kerberos credentials. Setting the KRB5CCNAME environment variable tells the system to use this file for Kerberos authentication attempts.

Better Way to do it

• -aesKey … → child krbtgt AES key (needed to forge the TGT).

• -domain child.warfare.corp → ticket is issued in the child domain.

• -domain-sid S-1-5-21-3754860944-83624914-1883974761 → SID of the child domain.

• -user-id 1106 → RID of the user (corpmngr) inside the child.

• -groups 512,513,516,518 → puts the forged user in Domain Admins, Domain Users, Schema Admins, Enterprise Admins (child).

• -extra-sid S-1-5-21-3375883379-808943238-3239386119-519 → makes the ticket assert membership in Enterprise Admins of the parent domain.

• -extra-sid S-1-5-9 → marks the ticket as a trusted domain user (required for inter-domain trusts).

✔ corpmngr is now a Domain Admin in child.warfare.corp + an Enterprise Admin in the parent/root domain (via extra SID) + gets trusted DC rights (S-1-5-9).

🔹 Quick Reference for the Groups Used

• 512 → Domain Admins (always there)

• 513 → Domain Users (normal accounts, makes ticket look legit)

• 519 → Enterprise Admins (forest-wide, only valid in root domain, so we inject via -extra-sid)

• S-1-5-9 → Enterprise Domain Controllers (lets you traverse trusts)

Setting the KRB5CCNAME Environment Variable

We can check if we can successfully authenticate to the parent domain's Domain Controller using Impacket's version of Psexec. If successful, we will be dropped into a SYSTEM shell on the target Domain Controller.

Getting a SYSTEM shell using Impacket's psexec.py

1. psexec.py

   • This is a Python script from Impacket that allows you to execute commands on a remote Windows machine using SMB (Server Message Block).

   • It mimics Microsoft's PsExec tool, but works over SMB.

2. LOGISTICS.INLANEFREIGHT.LOCAL/[email protected]

   • This specifies the domain and user credentials:

     • LOGISTICS.INLANEFREIGHT.LOCAL → The Active Directory domain.

     • hacker → The username being used to authenticate.

     • academy-ea-dc01.inlanefreight.local → The Domain Controller (DC) the authentication request is sent to.

3. -k (Kerberos authentication)

   • This tells psexec.py to use the Kerberos ticket from the current session instead of requiring a password.

4. -no-pass

   • No password is provided. It relies on Kerberos authentication (as specified with -k) or an existing authentication method.

5. -target-ip 172.16.5.5

   • This specifies the target machine's IP address where the command should be executed.

   • This could be the Domain Controller (DC) or any other remote system within the network.

What This Command Does

• It attempts to remotely execute commands on 172.16.5.5 using the hacker account.

• It authenticates with Kerberos (-k) instead of prompting for a password.

• If successful, it will gain SYSTEM-level access on the target machine (if privileges allow it).

Potential Issues & Considerations

1. Privileges Required

   • The hacker account must have admin privileges on the target (172.16.5.5), or the command will fail.

   • To verify privileges, use:

2. Kerberos Ticket Needed

   • Since -k is used, a valid Kerberos TGT (Ticket Granting Ticket) must already exist.

   • Check for a Kerberos ticket with:

Impacket also has the tool raiseChild.py, which will automate escalating from child to parent domain. We need to specify the target domain controller and credentials for an administrative user in the child domain; the script will do the rest. If we walk through the output, we see that it starts by listing out the child and parent domain's fully qualified domain names (FQDN). It then:

• Obtains the SID for the Enterprise Admins group of the parent domain

• Retrieves the hash for the KRBTGT account in the child domain

• Creates a Golden Ticket

• Logs into the parent domain

• Retrieves credentials for the Administrator account in the parent domain

Finally, if the target-exec switch is specified, it authenticates to the parent domain's Domain Controller via Psexec.

Service Ticket

Generate service ticket

We got the CIFS ticket of the Domain Controller as “corpmngr”, let’s extract the Administrator password using secretsdump script.

Performing the Attack with raiseChild.py

The script lists out the workflow and process in a comment as follows:

Though tools such as raiseChild.py can be handy and save us time, it is essential to understand the process and be able to perform the more manual version by gathering all of the required data points. In this case, if the tool fails, we are more likely to understand why and be able to troubleshoot what is missing, which we would not be able to if blindly running this tool. In a client production environment, we should always be careful when running any sort of "autopwn" script like this, and always remain cautious and construct commands manually when possible. Other tools exist which can take in data from a tool such as BloodHound, identify attack paths, and perform an "autopwn" function that can attempt to perform each action in an attack chain to elevate us to Domain Admin (such as a long ACL attack path). I would recommend avoiding tools such as these and work with tools that you understand fully, and will also give you the greatest degree of control throughout the process.

We don't want to tell the client that something broke because we used an "autopwn" script!

Dumping Hashes

Breaking It Down: