AD Foreign domain | dcsync

Md. Mahim Bin Firoj
4 min readDec 26, 2021

--

This CVE-2021–42287 and CVE-2021–42278 is related to PAC confusion and domain controller impersonation.

You can use Rubeus tool for PAC forging.

so lets see how this could be exploited.

Here TGT is being issued without the PAC. using rubeus tool we can use /nopac switch to request a TGT without PAC. now you can say why? because we are using low priv user account when requesting for TGT which is internal.user

if we dont use /nopac switch then DC would attach the PAC of this low priv user when sending TGT back to us. which we dont want. we want DC will add the PAC when service ticket is requested showing the TGT that has no PAC. This could only be done by configuring altsecurityidentities.

we need to modify the altsecurityidentities attribute of a foreign domain account to impersonate that user. we will impersonate external.admin user of the foreign domain once the attack is successful.

kerberos:samaccountname@domain

kerberos:external.admin@external.zeroday.lab

here there are two domains.

internal.zeroday.lab and external.zeroday.lab

trust relationship has been made between this two domains already. see the link below for better understanding.

By giving the above image command, we can see that internal.user has GenericAll active directory rights over the high priv user external.admin. so proceed with below image.

now we shall asing TGT for internal.user to our local DC using /nopac switch:

local dc name is: idc1.internal.zeroday.lab

ok we now have the TGT which has nopac, that is why TGT looks small/short. now using this TGT we can request a referral to external domain from our local dc.

as two domain controllers can talk to each other because trust relationship has been made already between them so our local dc can forward the request to our foreign domain. then we will get the krbtgt service ticket.

That referral then can be used to request ST’s for services on our target domain which is external.zeroday.lab Here I’m requesting a ST for LDAP/EDC1.external.zeroday.lab the external DC’s LDAP service instead of krbtgt service. that means you are telling your local dc you want to avail ldap service of foreign domain:

so in the above image command, just replace krbtgt with ldap.

through the above image command is missing but i am helping you.

/service:ldap/external.zeroday.lab and /dc:edc1.external.zeroday.lab and you have already the TGS. you can see that the ticket is big because PAC has been added. how it is added, we will discuss it soon.

we can see that the service ticket is for internal.user which has no special priv.

using this ticket we can perform dcsync attack using mimikatz tool.

what happened here is the external dc searched for the account (internal.user) in its local database. but it will not found that. then it checks if there is any account that has this internal.user account listed on its altsecurityidentities attributes!!! which external.admin does because we added it earlier. and that is why DC adds PAC belonging to that account (internal.user).

we have now effectively priv on the external.admin user of the external.zeroday.lab domain.

credit and reference:

--

--

No responses yet