27.Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows

I. Cross-Forest Kerberoasting

Concept: Performing Kerberoasting across domain trusts to obtain credentials for accounts in other domains.

Steps:

Enumerate SPNs:

Use PowerView:

Get-DomainUser -SPN -Domain FREIGHTLOGISTICS.LOCAL | select SamAccountName

Verify account privileges:

Use PowerView:

Get-DomainUser -Domain FREIGHTLOGISTICS.LOCAL -Identity mssqlsvc | select samaccountname,memberof

Perform Kerberoasting:

Use Rubeus with the /domain: flag:

.\Rubeus.exe kerberoast /domain:FREIGHTLOGISTICS.LOCAL /user:mssqlsvc /nowrap

Crack the hash:
- Use Hashcat to crack the obtained hash.

Key Takeaway:

Exploiting trusts to gain access to privileged accounts in other domains.

II. Admin Password Re-Use & Group Membership

Password Re-Use:

Checking for password reuse across domains with bidirectional trusts.
If an attacker gains credentials in one domain, they might work in another.

Group Membership:

Enumerating foreign group memberships to find accounts with cross-domain privileges.

Commands:

Get-DomainForeignGroupMember -Domain FREIGHTLOGISTICS.LOCAL
Convert-SidToName S-1-5-21-3842939050-3880317879-2865463114-500

Verify Access:

Enter-PSSession -ComputerName ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL -Credential INLANEFREIGHT\administrator

Key Takeaway:

Exploiting weak password management and misconfigured group memberships.

III. SID History Abuse - Cross Forest

Concept:

Abusing SID history across forest trusts when SID filtering is not enabled.
Allows accounts to retain privileges from their original domain after migration.

Mechanism:

Adding SIDs from one forest to the sidHistory attribute of accounts in another.
The user retains the rights of the added SID in their token.

Key Takeaway:

Exploiting misconfigurations in trust relationships to maintain or gain privileges.

IV. Important Considerations:

Cross-forest attacks can significantly expand an attacker's reach.
Enumeration and verification are crucial steps.
Password reuse is a very common issue.
SID filtering is very important to have enabled.

Previous10.Breaking Down Boundaries Next28.Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux

Last updated 12 days ago

27.Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows

I. Cross-Forest Kerberoasting

Concept: Performing Kerberoasting across domain trusts to obtain credentials for accounts in other domains.

Steps:

Enumerate SPNs:

Use PowerView:

Get-DomainUser -SPN -Domain FREIGHTLOGISTICS.LOCAL | select SamAccountName

Verify account privileges:

Use PowerView:

Get-DomainUser -Domain FREIGHTLOGISTICS.LOCAL -Identity mssqlsvc | select samaccountname,memberof

Perform Kerberoasting:

Use Rubeus with the /domain: flag:

.\Rubeus.exe kerberoast /domain:FREIGHTLOGISTICS.LOCAL /user:mssqlsvc /nowrap

Crack the hash:
- Use Hashcat to crack the obtained hash.

Key Takeaway:

Exploiting trusts to gain access to privileged accounts in other domains.

II. Admin Password Re-Use & Group Membership

Password Re-Use:

Checking for password reuse across domains with bidirectional trusts.
If an attacker gains credentials in one domain, they might work in another.

Group Membership:

Enumerating foreign group memberships to find accounts with cross-domain privileges.

Commands:

Get-DomainForeignGroupMember -Domain FREIGHTLOGISTICS.LOCAL
Convert-SidToName S-1-5-21-3842939050-3880317879-2865463114-500

Verify Access:

Enter-PSSession -ComputerName ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL -Credential INLANEFREIGHT\administrator

Key Takeaway:

Exploiting weak password management and misconfigured group memberships.

III. SID History Abuse - Cross Forest

Concept:

Abusing SID history across forest trusts when SID filtering is not enabled.
Allows accounts to retain privileges from their original domain after migration.

Mechanism:

Adding SIDs from one forest to the sidHistory attribute of accounts in another.
The user retains the rights of the added SID in their token.

Key Takeaway:

Exploiting misconfigurations in trust relationships to maintain or gain privileges.

IV. Important Considerations:

Cross-forest attacks can significantly expand an attacker's reach.
Enumeration and verification are crucial steps.
Password reuse is a very common issue.
SID filtering is very important to have enabled.

Previous10.Breaking Down Boundaries Next28.Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux

Last updated 12 days ago