🀝Domain Trusts

Domain Trust Overview

A trust is used to establish forest-forest or domain-domain authentication, this allows users to access resources in another domain, outside of the main domain where their account is. A trust creates a link between the auth system of the two domains and may allow either one-way or two-way communication.

The types of trust that can be created are:

  • Parent-child: Two or more domains within the same forest. The child domain has a two-way transitive trust with the parent domain, meaning that users in the child domain corp.inlanefreight.local could authenticate into the parent domain inlanefreight.local, and vice-versa.

  • Cross-link: A trust between child domains to speed up authentication.

  • External: A non-transitive trust between two separate domains in separate forests which are not already joined by a forest trust. This type of trust utilizes SID filtering or filters out authentication requests (by SID) not from the trusted domain.

  • Tree-root: A two-way transitive trust between a forest root domain and a new tree root domain. They are created by design when you set up a new tree root domain within a forest.

  • Forest: A transitive trust between two forest root domains.

  • ESAE: A bastion forest used to manage Active Directory.

Trusts can be transitive or non-transitive

Transitive Trusts

A trust is extended to objects that the child domain trusts, for example, we have three domains. In a transitive trust relationship Domain A has a trust with Domain B, and Domain B has a transitive trust with Domain C. This means Domain A will automatically trust Domain C.

Non-Transitive Trusts

The trust will only be trusted by the child domain itself

Trust Table Side By Side

Transitive
Non-Transitive

Shared, 1 to many

Direct trust

The trust is shared with anyone in the forest

Not extended to next level child domains

Forest, tree-root, parent-child, and cross-link trusts are transitive

Typical for external or custom trust setups

trust can be set up in two directions:

  • One-way trust: Users in a trusted domain can access resources in a trusting domain, not vice-versa.

  • Bidirectional trust: Users from both trusting domains can access resources in the other domain. For example, in a bidirectional trust between INLANEFREIGHT.LOCAL and FREIGHTLOGISTICS.LOCAL, users in INLANEFREIGHT.LOCAL would be able to access resources in FREIGHTLOGISTICS.LOCAL, and vice-versa.

Trusts are often set up wrong and can provide us with critical unintended attack paths.

A Graphical Representation of Trust Types

Enumerating Trust Relationships

Using Get-ADTrust 

Import-Module activedirectory
Get-ADTrust -Filter *

.....
Direction               : BiDirectional
DisallowTransivity      : False
DistinguishedName       : CN=FREIGHTLOGISTICS.LOCAL,CN=System,DC=INLANEFREIGHT,DC=LOCAL
ForestTransitive        : True
IntraForest             : False
IsTreeParent            : False
IsTreeRoot              : False
Name                    : FREIGHTLOGISTICS.LOCAL
ObjectClass             : trustedDomain
ObjectGUID              : 1597717f-89b7-49b8-9cd9-0801d52475ca
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source                  : DC=INLANEFREIGHT,DC=LOCAL
Target                  : FREIGHTLOGISTICS.LOCAL
TGTDelegation           : False
TrustAttributes         : 8
TrustedPolicy           :
TrustingPolicy          :
TrustType               : Uplevel
UplevelOnly             : False
UsesAESKeys             : False
UsesRC4Encryption       : False
.....

We can see from the output INLANEFERIGHT.LOCAL has two domain trusts. ForestTransitive set to True means this is a forest trust or external trust.

Checking for Existing Trusts using Get-DomainTrust

We can use PowerView to enumerate what trusts exist

Get-DomainTrust

Using Get-DomaintrustMapping

We can also perform a domain trust mapping and provide information such as the type of trust and the direction of the trust

Get-DomainTrustMapping

Checking Users in the Child Domain using Get-DomainUser

We can perform enumeration across the trusts

 Get-DomainUser -Domain LOGISTICS.INLANEFREIGHT.LOCAL | select SamAccountName

Using netdom to query Domain Trusts

This tool can retrieve information about the domain, including servers, workstations and domain trusts.

netdom query /domain:inlanefreight.local trust

Using netdom to query Domain Controllers

netdom query /domain:inlanefreight.local dc
List of domain controllers with accounts in the domain:

ACADEMY-EA-DC01
The command completed successfully.

Using netdom to query Workstation and Servers

 netdom query /domain:inlanefreight.local workstation
List of workstations with accounts in the domain:

ACADEMY-EA-MS01
ACADEMY-EA-MX01      ( Workstation or Server )

SQL01      ( Workstation or Server )
ILF-XRG      ( Workstation or Server )
MAINLON      ( Workstation or Server )
CISERVER      ( Workstation or Server )
INDEX-DEV-LON      ( Workstation or Server )
...SNIP...

Visualizing Trust Relationships with BloodHound

We can also use Bloodhound to visualize these trust relationships with the Map Domain Trusts pre-built query

PreviousMisconfigurationsNextAttacking Domain Trusts From Windows

Last updated

Was this helpful?