Many large enterprises have their own intranet , Resources are generally shared through domain forests . Departments with different functions , Logically, it is divided into main domain and sub domain , Convenient unified management . At the physical level , Firewalls are usually used to divide subsidiaries and departments into different areas . If the attacker gets a subsidiary or a department
Domain controller permissions for , But I didn't get all the permissions of the intranet of the whole company , Often find ways to obtain permissions from other departments or domains . therefore , When deploying network boundaries ,, If you can understand how an attacker attacks an existing network across domains , You can deploy the intranet more safely and return it to me 、 Prevent attacks more effectively .

1. Cross domain attack methods

Common cross domain attack methods are :（ For example, using Web Vulnerability cross domain access ); Hash delivery attack or ticket delivery attack using known domain hash value ( For example, the domain controller local administrator password may be the same ); Cross domain attacks using domain trust relationships .

2. Analysis of cross domain attack using domain trust relationship

The role of domain trust is to solve the problem of cross domain resource sharing in multi domain environment .
The domain environment does not unconditionally receive credentials from other domains , Only credentials from trusted domains will be received . By default , given Windows All users in the domain can be authenticated through the resources in the domain . In this way , A domain can provide its users with secure access to all resources in the domain . If the user wants to access resources outside the boundary , Domain trust is required .
Domain trust is a mechanism of domain , Allow users in another domain to access resources in this domain after authentication . meanwhile , Domain trust utilization DNS The server locates domain controllers for two different subdomains , If a domain controller in both domains cannot find another domain , There is no cross domain resource sharing through domain trust relationship .

2.2 Domain trust relationship analysis

Domain trust relationships are divided into one-way trust and two-way trust .

• One way trust refers to the trust path created between two domains , That is, in one direction is the access flow . In one-way trust between trusted city and trusted domain , Users in the trusted domain ( Or computers ） You can access resources in the trusted domain , However, users in the trusted domain cannot access the resources in the trusted domain . in other words , if A Domain trust B Domain , that B Trusted principals in the domain can access A Trust in the domain B Domain resources .
• Two way trust is a combination of two one-way trusts , Trust domain and trusted domain trust each other , There are trust flows and access flows in both directions . It means , Authentication requests can be passed between two domains in two directions . All domain trust relationships in the active directory are bidirectional . When creating a subdomain , A bidirectional transitive trust relationship is automatically created between the new child domain and the parent domain , An authentication request from a subordinate domain can flow up to the trusted domain through its parent domain .

Trust relationship can be divided into internal trust and external trust .

• By default , Use the active directory installation wizard to add a new domain to the domain tree or forest root domain , A two-way transitive trust is automatically created . When creating a domain tree in an existing forest , Will build a new root trust , The trust relationship between two or more domains in the current domain tree is called internal trust . This trust relationship is transitive . for example , There are three sub domains BA,CA,DA,BA Domain trust CA Domain ,CA Domain trust DA Domain , be BA The domain also trusts DA Domain .
• External trust refers to the trust relationship between domains in two different forests . External trust is not transferable , And it's one-way . from Windows server 2003 The domain trust relationship becomes bidirectional , And can be transmitted through trust relationship . stay Windows Operating system , Only Domain Admins Users in the group manage domain trust relationships .

2.3 Get domain information

In the domain ,Enterprise Admins Group （ Only in the root domain of the forest ) Members of have full control over all domains in the forest . By default , This group contains all domain controllers in the forest that have Administrators Members of the authority .
Here we're going to use LG.exe Tools .LG.exe It's a utility model C++ Command line tool written to manage local user groups and domain local user groups . Use this tool in penetration testing , You can enumerate the information of remote host users and groups .

2.4 Use the domain trust key to obtain the permissions of the target domain

First , Set up a qualified domain environment . The details of the trust environment in the domain forest are as follows

• Domain controller of parent domain : pentest.lab ( Windows Server 2012 R2 ).
• The domain controller of the subdomain : us.pentest.lab( Windows Server 2012 R2 ).
• Computers in the subdomain : pc.us.pentest.test.com ( Windows 7).
• Ordinary users in the subdomain : us\test
  In this experiment , Use mimikatz Export and forge the trust key in the domain controller , Use kekeo Request access to the target service in the target domain TGS Notes . Use these two tools , The penetration tester can then create a sidHistory The paper , Perform security tests on the target domain .
  stay us.pentest.lab.com Use in mimikatz Get the information you need , The order is as follows .

mimikatz.exe privilege::debug "lsadump::lsa /patch /user:test$" "lsadump::trust /patch" exit

After getting the information , Computers in domain ( pc.us.pentest.test.com ) Use common domain user permissions in ( sub\test ) Execution can be .
Use mimikatz Create trust ticket

mimikatz "Kerberos::golden /domain:sub.test.com /sid S-1-5-21-3265761439-1148378407-2742098900 /sids:S-1-5-21-2850215151-526022293-2118279608 /rc4:3e0208a9073c8be3801600f311457fcd /user:DarthVader /service:krbtgt /target:pentest.lab /ticket:test.kirbi" exit

domain Parameter is used to specify the current domain name ; sid Parameter is used to specify the name of the current domain SID; sids Parameter specifies the name of the target domain SID( In this experiment 519, Indicates that the user created by the penetration tester belongs to the administrator group of the target domain ); rc4 Parameter specifies the trust key ; user Parameter is used to specify the forged user name ; service Parameter is used to specify to access
Service for ; target Parameter is used to specify the target domain name ; ticket Parameter is used to specify the file name to save the ticket . It should be noted that , The repeated prompt text when accessing the domain controller for the first time is by mimikatz It is caused by the output exception during execution .

Use the newly created named test.kirbi Gets the name of the target service in the domain TGS And save it to a file .

Asktgs test.kirbi CIFS/pentest.pentest.lab

To obtain the TGS Note injection memory

Kirbikator lsa CIFS.pentest.pentest.lab.kirbi

Access target services

dir \\dc.test.com\C$

2.5 utilize krbtgt The hash value gets the permissions of the target domain

Use mimikaz, You can set... When building gold notes sidHistory. therefore , If the attacker obtains the information of any domain in the forest krbtgt Hash value , You can use it sidHistory Get full permissions for the forest . Let's analyze this process . First , Use PowerView Computers in domain ( pc.sub.test.com ) Use ordinary city users in ( sub\test ) Access to the current domain and the target domain SID. Get domain users SID The common commands are "wmic useraccount get name,sid" "whoami/user" "adfind.exe -sc u:test|findstr sid" "powerview".

Use on the domain controller mimikatz obtain krbtgt Hash value .

mimikatz.exe privilege::debug "lsadump::lsa /patch /user:krbtgt"
sekurlsa::krbtgt exit
 
sekurlsa::krbtgt
 

Use normal user rights on computers within the subdomain (sub\test) Construct and inject gold notes , Get permissions for the target domain .

mimikatz "Kerberos::golden /user:Administrator /domain:sub.test.com /sid: /sids: /krbtgt: /ptt" exit
user Parameter is used to specify the user name : domain Parameter is used to specify the current domain name : sid Parameter is used for the... Of the current city SID; sids Parameter specifies the name of the target domain SID( In this experiment 519, The user created on behalf of the penetration tester belongs to the administrator group of the target domain ): krbtgt  Parameter assignment krbtgt Hash value : ptt  Indicates that the ticket is sent to the human memory .
 
 Enter the following command , Access target services 
dir \\dc.test.com\C$

2.6 External trust and forest trust

In this experiment , The forest trust environment is as follows .

The city controller of the current forest : dc.a.com ( Windows Server 2012 R2).
Domain controller of the target forest : bdc. b.com ( Windows Server 2012 R2 )
The domain controller of the current domain : adc1.a.com ( WindowServer 2012 R2)
The city controller of the target domain : bdc1.b.com ( Windows Sever 212)

Trust relationship of external trust environment

nltest /domain_trusts

1. Use the trust relationship to obtain the information of the trust domain
Because there are external trust and forest trust SID Filtering mechanism , So you can't use SID History Access permissions .
In this experiment , Use adfind Tool to obtain complete information about the trust domain . Next to get Administrator User details

 Enter the following command , Export the information of all users 
adfind -h bdc1.b.com -sc u:Administrator
 
 By comparing the user list of the target domain and the current domain , Find the users who join both domains .

2. Use PowerView Locate sensitive users

 Execute the following command , Lists the external users in the target domain user group 
..\PowerView.ps1
Get-DomainForeignGroupMember -Domain B.com

2.7 Leverage unrestricted delegation and MS-RPRN Get trust permissions

If the attacker has acquired a domain permission in the domain forest , You can use MS RPRN Of RpcRemoteFindPrinterChangeNotification(Ex) Method , Make trust in Lin's city = The domain controller sends an authentication request to the controlled server , Use the captured partial data to obtain the hash value of any user in the trust forest .

3. Prevent cross domain attacks

On the Internet Web Applications are better than those in the public network Web Applications are more vulnerable . Placed on the public network Web The application server will be configured WAF Other equipment , There will also be professional maintenance personnel to conduct regular safety inspection . Placed in the intranet Web application server
Mostly for internal office use ( Or as a test server ), therefore , Its security is less valued , Weak passwords are often used or there are patches that are not repaired in time .
After obtaining the privileges of the domain controller of the current domain, the attacker , It will check whether the local administrator password of the domain controller is the same as that of other domain controllers , And whether the network between the two domains can be attacked horizontally through hash transfer when the network between the two domains is not isolated . In many companies , Although different domains are divided for different departments , But domain administrators may be the same people , Therefore, the user name and password of the domain administrator may be the same . In daily network maintenance , Need to develop good safety habits , To effectively prevent cross domain attacks .