24.Domain Trusts Primer

I. Domain Trusts Overview

Definition: Trusts establish authentication between domains or forests, allowing users to access resources in other domains.

Types of Trusts:

  • Parent-child: Within the same forest, transitive, bidirectional.

  • Cross-link: Between child domains, transitive.

  • External: Between separate forests, non-transitive, uses SID filtering.

  • Tree-root: Between forest root and new tree root, transitive, bidirectional.

  • Forest: Between forest root domains, transitive.

  • ESAE: Used for bastion forests.

Trust Attributes:

  • Transitive vs. Non-transitive:

    • Transitive trusts extend trust to trusted objects of the child domain.

    • Non-transitive trusts only trust the child domain itself.

  • One-way vs. Bidirectional:

    • One-way: Trusted domain users can access resources in the trusting domain.

    • Bidirectional: Users from both domains can access resources in each other.

II. Enumerating Trust Relationships

Get-ADTrust (PowerShell): Enumerates domain trust relationships using built-in tools.

Commands:

Import-Module activedirectory
Get-ADTrust -Filter *

PowerView (PowerShell): Provides functions for enumerating trusts, types, and authentication flow.

Commands:

Get-DomainTrust
Get-DomainTrustMapping
Get-DomainUser -Domain LOGISTICS.INLANEFREIGHT.LOCAL | select SamAccountName

netdom (Command-line): Retrieves domain information, including trusts, domain controllers, workstations, and servers.

Commands:

netdom query /domain:inlanefreight.local trust
netdom query /domain:inlanefreight.local dc
netdom query /domain:inlanefreight.local workstation

BloodHound: Visualizes trust relationships using the "Map Domain Trusts" pre-built query.

III. Key Takeaways

  • Domain trusts can introduce security vulnerabilities if misconfigured.

  • Understanding trust types and directions is crucial for assessment.

  • Enumeration tools like Get-ADTrust, PowerView, netdom, and BloodHound are essential.

  • It is very important to stay within the rules of engagement when testing domain trusts.

  • Trusts can be a great way for attackers to "pivot" from one domain to another.

Previous9.Why So TrustingNext25.Attacking Domain Trusts - Child - Parent Trusts - from Windows

Last updated