28.Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux

I. Cross-Forest Kerberoasting

Concept: Leveraging Kerberoasting across domain trusts to extract and crack credentials from accounts in other domains.

Steps:

  1. Enumerate SPNs:

    • Use PowerView to list Service Principal Names (SPNs):

      Get-DomainUser -SPN -Domain FREIGHTLOGISTICS.LOCAL | select SamAccountName

  2. Verify Account Privileges:

    • Check if the target account has privileged group memberships:

      Get-DomainUser -Domain FREIGHTLOGISTICS.LOCAL -Identity mssqlsvc | select samaccountname,memberof

  3. Perform Kerberoasting:

    • Request and extract service tickets for cracking:

      .\Rubeus.exe kerberoast /domain:FREIGHTLOGISTICS.LOCAL /user:mssqlsvc /nowrap

  4. Crack the Hash:

    • Use Hashcat (mode 13100) to crack the extracted ticket hash.

Key Takeaways:

  • Cross-forest Kerberoasting exploits domain trust relationships.

  • Privileged accounts with SPNs can be targeted for credential extraction.

II. Admin Password Reuse & Group Membership

Password Reuse:

  • Evaluating password reuse across trusted domains with bidirectional trusts.

  • If an attacker compromises credentials in one domain, they may gain access to another.

Group Membership Enumeration:

  • Identifying cross-domain privileges through foreign group memberships.

Commands:

Get-DomainForeignGroupMember -Domain FREIGHTLOGISTICS.LOCAL
Convert-SidToName S-1-5-21-3842939050-3880317879-2865463114-500

Verifying Access:

  • Test access using PowerShell remoting:

Enter-PSSession -ComputerName ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL -Credential INLANEFREIGHT\administrator

Key Takeaways:

  • Weak password policies and reused credentials increase risk.

  • Identifying privileged accounts across domains is crucial for security assessments.

III. SID History Abuse in Cross-Forest Attacks

Concept:

  • Exploiting SID history in inter-forest trusts when SID filtering is not enforced.

  • Migrated accounts can retain privileges from their original domain.

Mechanism:

  • Injecting SIDs from one forest into the sidHistory attribute of accounts in another.

  • The modified account inherits the permissions associated with the added SID.

Key Takeaways:

  • Misconfigurations in trust relationships can lead to privilege escalation.

  • Proper SID filtering must be enabled to prevent unauthorized privilege retention.

IV. Security Considerations:

  • Cross-forest attacks significantly expand an attacker’s ability to escalate privileges.

  • Continuous monitoring and auditing of trust relationships are essential.

  • Enforcing strong password policies and SID filtering can mitigate risk.

  • Properly securing privileged accounts with limited SPN exposure reduces attack surface.

Previous27.Attacking Domain Trusts - Cross-Forest Trust Abuse - from WindowsNext11.Defensive Considerations

Last updated