In Active Directory, a trust allows users in one domain to access resources in other domains.
Enumeration
Enumerate the trusts for the current subdomain (use -Domain [fqdn]
to enumerate other domains, e.g. parent):
Trust Traits
- Direction: A trust can be one-way or two-way. In a one-way trust, domain A trust domain B, meaning that users in B can access resources in A. In this case, A has an outbound trust, and B has an inbound trust. A two-way trust (a.k.a. bidirectional trust) can be seen as two one-way trust in opposite directions.
- Transitivity: If the trust is transitive, then it can be chained with other trusts. For examples, if A transitive-trusts B and B transitive-trusts C, then A trusts C, and users in C can access resources in A.
Parent-child Two-way Trusts
Parent and children domains have two-way transitive trusts between them.
A child domain admin can be elevated to parent domain admin by adding fake SID history to a golden ticket (originally intended for migrating users to other domains by recording old SIDs in the other domain):
Import the ticket to access parent DC.
The same trick (/sids:
for group SID history) applies to diamond ticket. Specify 500
(Administrator) for ticket user RID and 519
for group RID.
Other ideas for exploiting trusts without domain admin:
- Kerberoast or AS-REP roasting across trusts.
- Capture TGTs from parent domain principals trying to unconstrained-delegate to compromised child domain machines.
- Impersonate RDP session from parent domain.
One-way trusts
Inbound
Attack Overview
- Goal: obtain access to foreign domain
- Requirements: existing inbound trust
First find the trusting foreign domain with Get-DomainTrust
.
To actually exploit the trust, we must find a group in the foreign domain containing members from the current domain:
After compromising a member of such group (and assuming the group has admin privileges in foreign domain), we can exploit the trust and gain access to foreign domain DC.
OPSEC note
All inter-realm tickets use rc4_hmac by default regardless of the original TGT encryption algorithm, so do not be alarmed when you see rc4.
Outbound
Outbound trusts can still be exploited to gain regular user access on the trusted domain by getting the shared credentials. The shared credentials can be used to access an account (named as TrustingDomainName$
) on the trusted domain.
Two methods may be used to the the shared credential:
Method 1: memory patching (risky)
Method 2: DCsync
With the key, we can obtain TGT for TrustingDomainName$
on the trusted domain. As usual, RC4 is used by default for inter-realm tickets.
Rubeus.exe asktgt /user:CYBER$ /domain:msp.org /rc4:[key-base64] /nowrap
Although no additional privilege is obtained with this attack, it does open up a lot more attack opportunities.