π€Domain Trusts
Domain Trust Overview
A trust is used to establish forest-forest or domain-domain authentication, this allows users to access resources in another domain, outside of the main domain where their account is. A trust creates a link between the auth system of the two domains and may allow either one-way or two-way communication.
The types of trust that can be created are:
Parent-child: Two or more domains within the same forest. The child domain has a two-way transitive trust with the parent domain, meaning that users in the child domaincorp.inlanefreight.localcould authenticate into the parent domaininlanefreight.local, and vice-versa.Cross-link: A trust between child domains to speed up authentication.External: A non-transitive trust between two separate domains in separate forests which are not already joined by a forest trust. This type of trust utilizes SID filtering or filters out authentication requests (by SID) not from the trusted domain.Tree-root: A two-way transitive trust between a forest root domain and a new tree root domain. They are created by design when you set up a new tree root domain within a forest.Forest: A transitive trust between two forest root domains.ESAE: A bastion forest used to manage Active Directory.
Trusts can be transitive or non-transitive
Transitive Trusts
A trust is extended to objects that the child domain trusts, for example, we have three domains. In a transitive trust relationship Domain A has a trust with Domain B, and Domain B has a transitive trust with Domain C. This means Domain A will automatically trust Domain C.
Non-Transitive Trusts
The trust will only be trusted by the child domain itself
Trust Table Side By Side
Shared, 1 to many
Direct trust
The trust is shared with anyone in the forest
Not extended to next level child domains
Forest, tree-root, parent-child, and cross-link trusts are transitive
Typical for external or custom trust setups
trust can be set up in two directions:
One-way trust: Users in atrusteddomain can access resources in a trusting domain, not vice-versa.Bidirectional trust: Users from both trusting domains can access resources in the other domain. For example, in a bidirectional trust betweenINLANEFREIGHT.LOCALandFREIGHTLOGISTICS.LOCAL, users inINLANEFREIGHT.LOCALwould be able to access resources inFREIGHTLOGISTICS.LOCAL, and vice-versa.
Trusts are often set up wrong and can provide us with critical unintended attack paths.
A Graphical Representation of Trust Types
Enumerating Trust Relationships
Using Get-ADTrust
We can see from the output INLANEFERIGHT.LOCAL has two domain trusts. ForestTransitive set to True means this is a forest trust or external trust.
Checking for Existing Trusts using Get-DomainTrust
We can use PowerView to enumerate what trusts exist
Using Get-DomaintrustMapping
We can also perform a domain trust mapping and provide information such as the type of trust and the direction of the trust
Checking Users in the Child Domain using Get-DomainUser
We can perform enumeration across the trusts
Using netdom to query Domain Trusts
This tool can retrieve information about the domain, including servers, workstations and domain trusts.
Using netdom to query Domain Controllers
Using netdom to query Workstation and Servers
Visualizing Trust Relationships with BloodHound
We can also use Bloodhound to visualize these trust relationships with the Map Domain Trusts pre-built query
Last updated
Was this helpful?