🦦
Otter's Notes
  • Introduction
  • Articles
    • Dumping data from the Microsoft Recall folder
    • Gaining persistence on Windows with Time Providers
    • Reverse engineering LSASS to decrypt DPAPI keys
    • Intro to Hypervisor Implants
    • In-depth Windows Telemetry
  • Notes
    • Active Directory
      • Active Directory Structure
      • Active Directory Terminology
      • Active Directory Objects
      • Active Directory Groups
      • Active Directory Functionality
      • Active Directory Protocols
      • Active Directory Rights and Privileges
      • Security in Active Directory
      • Users and Machine Accounts
      • NTLM
      • LDAP
      • Making a Target User List
      • Enumerating & Retrieving Password Policies
      • Enumerating Security Controls
      • Examining Group Policy
      • GPOs
      • LAPS
      • LLMNR & NBT-NS Poisoning
      • LOLBIN Enumeration
    • AAD
      • Useful Links
      • Overview of Azure & M365
      • Enumerate Users and Domains
      • Post-exploitation Reconnaissance
      • OAuth 2.0 Abuse
      • Abusing Device Code Authentication
      • Abusing Cloud Administrator Role
      • Abusing User Administrator Role
      • AAD Federated Backdoor
      • Service Principal Abuse
      • Compromising Azure Blobs and Storage Accounts
      • Malicious Device Join
      • Disabling Auditing (Unified Audit Logs)
      • Spoofing Azure Sign-In Logs
      • Registering Fake Agents for Log Spoofing
      • Pass the PRT
      • Pass the Cookie
      • Abusing Managed Identities
      • Virtual Machine Abuse
      • Attacking Key Vaults
    • Forest Trust Abuse
      • Parent-Child Trust Abuse
      • One-Way Inbound Trust Abuse
      • Foreign Group Membership
      • Foreign ACL Principals
      • SID History
      • SID Filter Bypass
      • Intra-Forest Attacks
        • Configuration Naming Context Replication
        • ADCS NC Replication Attack
        • GPO On-Site Attack
        • GoldenGMSA Attack
        • DNS Trust Attack
      • Cross-Forest Attacks
        • Trust Account Attack
        • Abusing SQL Linked Servers
        • Abusing PAM Trusts
    • Kerberos
      • Overview of Kerberos Authentication
      • Silver Tickets
      • Golden Tickets
      • Diamond Tickets
      • Kerberoasting
      • AS-REPRoasting
      • Resource-Based Constrained Delegation
      • Constrained Delegation
      • Unconstrained Delegation
      • S4U2Self & S4U2Proxy
      • Golden Certificates
    • DACL Abuse
      • DACL Overview
      • DACLs Enumeration
      • AddMembers
      • GPO Attacks
      • Granting Rights and Ownership
      • Logon Scripts
      • NoPAC
      • Password Abuse
      • SPN Jacking
      • Shadow Credentials
      • Targeted Kerberoasting
    • ADCS
      • Introduction to ADCS
      • ESC1
      • ESC2
      • ESC3
      • ESC4
      • ESC5
      • ESC6
      • ESC7
      • ESC8
      • ESC9
      • ESC10
      • ESC11
      • Certificate Mapping
    • PowerShell
      • PowerShell Basics
      • PowerShell Remoting
      • Alternate PowerShell Hosts
      • PowerShell Pipeline Runners
      • PowerShell Code Signing
      • Scriptblock Logging
      • PowerShell CLM
      • AMSI
      • PowerShell Reflection
      • WMI - Windows Management Instrumentation
      • Interfacing with AD
      • PowerShell Snippets
        • Bypass application whitelisting and CLM with runscripthelper and WMI
        • Create fake PowerShell logs
        • Enumerate AD ACLs
        • Enumerate WMI events
        • Enumerate Domain Trusts
        • Enumerate change metadata
        • Enumerate non-signed service binaries
        • Enumerate with GPOs
        • Find signed alternate PowerShell hosts
        • Get AMSI module
        • Group processes by user with WMI
        • Hide processes from Get-Process
        • Malware re-purposing with PowerShell reflection
        • Monitor PowerShell hosts with WMI
        • PowerShell reflection offensive use-case
        • Query PowerShell alternative hosts with WMI
        • Retrieve file certificate
        • Search LDAP for misconfigurations
        • Sign custom code with PowerShell
        • WMI service creation
        • Weak folder permission enumeration
    • AWS
      • AWS Organizations
      • AWS Principals
    • Binary Exploitation
      • Environment setup for Browser Exploitation
      • Browser Overview and Components
    • Kernel Development
      • Windows
        • Configuring a VM for driver development
Powered by GitBook
On this page
  1. Notes
  2. Forest Trust Abuse

Intra-Forest Attacks

PreviousSID Filter BypassNextConfiguration Naming Context Replication

Last updated 1 year ago

Foreign Group Membership and ACL Principals

Through and it's possible get a direct foothold into another domain without having to exploit any misconfiguration or perform any attack.

Unconstrained Delegation

can allow to move from a child domain to the parent one by abusing the ; let's imagine the following scenario: DC02 serves as the Child Domain Controller within the domain dev.domain.com, while DC01 operates as the Parent Domain Controller within the domain domain.com.

First we can start the monitor command in Rubeus and then we can execute SpoolSample to exploit the printer bug, forcing DC01 (the Parent DC) to authenticate to a host under our control, which in this case is DC02 (the Child DC). By leveraging this exploit, we can trigger an authentication attempt from the Parent DC to the Child DC, thereby facilitating the interception of DC01's Ticket Granting Ticket (TGT).

.\Rubeus.exe monitor /interval:5 /nowrap
.\SpoolSample.exe dc01.domain.com dc02.dev.domain.com

If the attack worked a new TGT for DC01$ should get detected by Rubeus and we're now able to renew it and use it to access a host in the other domain.

.\Rubeus.exe renew /ticket:<TICKET> /ptt

Configuration Naming Context Replication

refers to a offensive tactic wherein attackers exploit the replication mechanism of the Configuration Naming Context in Active Directory to propagate unauthorized changes or configurations across the domain infrastructure.

ADCS NC Replication Attack

The consists in abusing permissions over the Configuration Naming Context so that we can add a new vulnerable certificate template to the Certificate Templates container, then we give the Domain Administrator user of the child domain Full Control over said certificate, publish it and wait for the changes to propagate.

After the NC is replicated back to the parent domain we can request the certificate for root\Administrator for the child domain.

The easiest vulnerable template to set up is [[01 - ESC1 | ESC1]].

After the template is published we can request it and abuse ESC1 as we normally would.

GPO On-Site Attack

This allows to set a backdoor (a backdoored user) on the parent DC that we can request a TGT for.

GoldenGMSA Attack

It will allow to get a NTLM hash of the account's password to request a TGT into the other domain.

DNS Trust Attack

can be used to move from the child domain to the parent one by creating a malicious GPO on the Child DC and linking it to the Default Replication site of the parent DC.

A can be used if we discover a gMSA account in a parent domain we can compromise it from the child domain with the tool and obtain its password.

attack abuses the unauthorized modification of DNS records within of the database locations of a parent domain from within a child domain; redirection of traffic can allow for MITM attacks.

This
This technique
GoldenGMSA
GoldenGMSA Attack
Foreign Group Membership
Foreign ACL Principals
Unconstrained Delegation
Configuration Naming Context (NC) replication abuse
attack
Printer Bug Method