28.Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux

I. Cross-Forest Kerberoasting

Concept: Leveraging Kerberoasting across domain trusts to extract and crack credentials from accounts in other domains.

Steps:

1. Enumerate SPNs:

   • Use PowerView to list Service Principal Names (SPNs):

     Get-DomainUser -SPN -Domain FREIGHTLOGISTICS.LOCAL | select SamAccountName

2. Verify Account Privileges:

   • Check if the target account has privileged group memberships:

     Get-DomainUser -Domain FREIGHTLOGISTICS.LOCAL -Identity mssqlsvc | select samaccountname,memberof

3. Perform Kerberoasting:

   • Request and extract service tickets for cracking:

     .\Rubeus.exe kerberoast /domain:FREIGHTLOGISTICS.LOCAL /user:mssqlsvc /nowrap

4. Crack the Hash:

   • Use Hashcat (mode 13100) to crack the extracted ticket hash.

Key Takeaways:

• Cross-forest Kerberoasting exploits domain trust relationships.

• Privileged accounts with SPNs can be targeted for credential extraction.

---

II. Admin Password Reuse & Group Membership

Password Reuse:

• Evaluating password reuse across trusted domains with bidirectional trusts.

• If an attacker compromises credentials in one domain, they may gain access to another.

Group Membership Enumeration:

• Identifying cross-domain privileges through foreign group memberships.

Commands:

Get-DomainForeignGroupMember -Domain FREIGHTLOGISTICS.LOCAL
Convert-SidToName S-1-5-21-3842939050-3880317879-2865463114-500

Verifying Access:

• Test access using PowerShell remoting:

Enter-PSSession -ComputerName ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL -Credential INLANEFREIGHT\administrator

Key Takeaways:

• Weak password policies and reused credentials increase risk.

• Identifying privileged accounts across domains is crucial for security assessments.

---

III. SID History Abuse in Cross-Forest Attacks

Concept:

• Exploiting SID history in inter-forest trusts when SID filtering is not enforced.

• Migrated accounts can retain privileges from their original domain.

Mechanism:

• Injecting SIDs from one forest into the sidHistory attribute of accounts in another.

• The modified account inherits the permissions associated with the added SID.

Key Takeaways:

• Misconfigurations in trust relationships can lead to privilege escalation.

• Proper SID filtering must be enabled to prevent unauthorized privilege retention.

---

IV. Security Considerations:

• Cross-forest attacks significantly expand an attacker’s ability to escalate privileges.

• Continuous monitoring and auditing of trust relationships are essential.

• Enforcing strong password policies and SID filtering can mitigate risk.

• Properly securing privileged accounts with limited SPN exposure reduces attack surface.