28.Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux

I. Cross-Forest Kerberoasting

Concept: Leveraging Kerberoasting across domain trusts to extract and crack credentials from accounts in other domains.

Steps:

Enumerate SPNs:

Use PowerView to list Service Principal Names (SPNs):

Get-DomainUser -SPN -Domain FREIGHTLOGISTICS.LOCAL | select SamAccountName

Verify Account Privileges:

Check if the target account has privileged group memberships:

Get-DomainUser -Domain FREIGHTLOGISTICS.LOCAL -Identity mssqlsvc | select samaccountname,memberof

Perform Kerberoasting:

Request and extract service tickets for cracking:

.\Rubeus.exe kerberoast /domain:FREIGHTLOGISTICS.LOCAL /user:mssqlsvc /nowrap

Crack the Hash:
- Use Hashcat (mode 13100) to crack the extracted ticket hash.

Key Takeaways:

Cross-forest Kerberoasting exploits domain trust relationships.
Privileged accounts with SPNs can be targeted for credential extraction.

II. Admin Password Reuse & Group Membership

Password Reuse:

Evaluating password reuse across trusted domains with bidirectional trusts.
If an attacker compromises credentials in one domain, they may gain access to another.

Group Membership Enumeration:

Identifying cross-domain privileges through foreign group memberships.

Commands:

Get-DomainForeignGroupMember -Domain FREIGHTLOGISTICS.LOCAL
Convert-SidToName S-1-5-21-3842939050-3880317879-2865463114-500

Verifying Access:

Test access using PowerShell remoting:

Enter-PSSession -ComputerName ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL -Credential INLANEFREIGHT\administrator

Key Takeaways:

Weak password policies and reused credentials increase risk.
Identifying privileged accounts across domains is crucial for security assessments.

III. SID History Abuse in Cross-Forest Attacks

Concept:

Exploiting SID history in inter-forest trusts when SID filtering is not enforced.
Migrated accounts can retain privileges from their original domain.

Mechanism:

Injecting SIDs from one forest into the sidHistory attribute of accounts in another.
The modified account inherits the permissions associated with the added SID.

Key Takeaways:

Misconfigurations in trust relationships can lead to privilege escalation.
Proper SID filtering must be enabled to prevent unauthorized privilege retention.

IV. Security Considerations:

Cross-forest attacks significantly expand an attacker’s ability to escalate privileges.
Continuous monitoring and auditing of trust relationships are essential.
Enforcing strong password policies and SID filtering can mitigate risk.
Properly securing privileged accounts with limited SPN exposure reduces attack surface.

Previous27.Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows Next11.Defensive Considerations

Last updated 12 days ago

28.Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux

I. Cross-Forest Kerberoasting

Concept: Leveraging Kerberoasting across domain trusts to extract and crack credentials from accounts in other domains.

Steps:

Enumerate SPNs:

Use PowerView to list Service Principal Names (SPNs):

Get-DomainUser -SPN -Domain FREIGHTLOGISTICS.LOCAL | select SamAccountName

Verify Account Privileges:

Check if the target account has privileged group memberships:

Get-DomainUser -Domain FREIGHTLOGISTICS.LOCAL -Identity mssqlsvc | select samaccountname,memberof

Perform Kerberoasting:

Request and extract service tickets for cracking:

.\Rubeus.exe kerberoast /domain:FREIGHTLOGISTICS.LOCAL /user:mssqlsvc /nowrap

Crack the Hash:
- Use Hashcat (mode 13100) to crack the extracted ticket hash.

Key Takeaways:

Cross-forest Kerberoasting exploits domain trust relationships.
Privileged accounts with SPNs can be targeted for credential extraction.

II. Admin Password Reuse & Group Membership

Password Reuse:

Evaluating password reuse across trusted domains with bidirectional trusts.
If an attacker compromises credentials in one domain, they may gain access to another.

Group Membership Enumeration:

Identifying cross-domain privileges through foreign group memberships.

Commands:

Get-DomainForeignGroupMember -Domain FREIGHTLOGISTICS.LOCAL
Convert-SidToName S-1-5-21-3842939050-3880317879-2865463114-500

Verifying Access:

Test access using PowerShell remoting:

Enter-PSSession -ComputerName ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL -Credential INLANEFREIGHT\administrator

Key Takeaways:

Weak password policies and reused credentials increase risk.
Identifying privileged accounts across domains is crucial for security assessments.

III. SID History Abuse in Cross-Forest Attacks

Concept:

Exploiting SID history in inter-forest trusts when SID filtering is not enforced.
Migrated accounts can retain privileges from their original domain.

Mechanism:

Injecting SIDs from one forest into the sidHistory attribute of accounts in another.
The modified account inherits the permissions associated with the added SID.

Key Takeaways:

Misconfigurations in trust relationships can lead to privilege escalation.
Proper SID filtering must be enabled to prevent unauthorized privilege retention.

IV. Security Considerations:

Cross-forest attacks significantly expand an attacker’s ability to escalate privileges.
Continuous monitoring and auditing of trust relationships are essential.
Enforcing strong password policies and SID filtering can mitigate risk.
Properly securing privileged accounts with limited SPN exposure reduces attack surface.

Previous27.Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows Next11.Defensive Considerations

Last updated 12 days ago