PenTest – Trust – Relationship

| 3 janvier 2024 | Non classé | Aucun commentaire
  • One-way
  • Domain B trusts A
  • Users in Domain A can access resources in Domain B
  • Users in Domain B cannot access resources in Domain A
  • Two-way
  • Domain A trusts Domain B
  • Domain B trusts Domain A
  • Authentication requests can be passed between the two domains in both directions

Enumerate trusts between domains

  • Native nltest 
    nltest /trusted_domains
  • PowerShell GetAllTrustRelationships 
    ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()

SourceName          TargetName                    TrustType      TrustDirection
----------          ----------                    ---------      --------------
domainA.local      domainB.local                  TreeRoot       Bidirectional
  • Crackmapexec module enum_trusts 
    cme ldap <ip> -u <user> -p <pass> -M enum_trusts

Exploit trusts between domains

⚠ Require a Domain-Admin level access to the current domain.

Source Target Technique to use Trust relationship
Root Child Golden Ticket + Enterprise Admin group (Mimikatz /groups) Inter Realm (2-way)
Child Child SID History exploitation (Mimikatz /sids) Inter Realm Parent-Child (2-way)
Child Root SID History exploitation (Mimikatz /sids) Inter Realm Tree-Root (2-way)
Forest A Forest B PrinterBug + Unconstrained delegation ? Inter Realm Forest or External (2-way)

References

About The Author

Add a Comment

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *