24.Domain Trusts Primer

I. Domain Trusts Overview

Definition: Trusts establish authentication between domains or forests, allowing users to access resources in other domains.

Types of Trusts:

Parent-child: Within the same forest, transitive, bidirectional.
Cross-link: Between child domains, transitive.
External: Between separate forests, non-transitive, uses SID filtering.
Tree-root: Between forest root and new tree root, transitive, bidirectional.
Forest: Between forest root domains, transitive.
ESAE: Used for bastion forests.

Trust Attributes:

Transitive vs. Non-transitive:
- Transitive trusts extend trust to trusted objects of the child domain.
- Non-transitive trusts only trust the child domain itself.
One-way vs. Bidirectional:
- One-way: Trusted domain users can access resources in the trusting domain.
- Bidirectional: Users from both domains can access resources in each other.

II. Enumerating Trust Relationships

Get-ADTrust (PowerShell): Enumerates domain trust relationships using built-in tools.

Commands:

Import-Module activedirectory
Get-ADTrust -Filter *

PowerView (PowerShell): Provides functions for enumerating trusts, types, and authentication flow.

Commands:

Get-DomainTrust
Get-DomainTrustMapping
Get-DomainUser -Domain LOGISTICS.INLANEFREIGHT.LOCAL | select SamAccountName

netdom (Command-line): Retrieves domain information, including trusts, domain controllers, workstations, and servers.

Commands:

netdom query /domain:inlanefreight.local trust
netdom query /domain:inlanefreight.local dc
netdom query /domain:inlanefreight.local workstation

BloodHound: Visualizes trust relationships using the "Map Domain Trusts" pre-built query.

III. Key Takeaways

Domain trusts can introduce security vulnerabilities if misconfigured.
Understanding trust types and directions is crucial for assessment.
Enumeration tools like Get-ADTrust, PowerView, netdom, and BloodHound are essential.
It is very important to stay within the rules of engagement when testing domain trusts.
Trusts can be a great way for attackers to "pivot" from one domain to another.

Last updated 12 days ago

I. Domain Trusts Overview

Definition: Trusts establish authentication between domains or forests, allowing users to access resources in other domains.

Types of Trusts:

Parent-child: Within the same forest, transitive, bidirectional.
Cross-link: Between child domains, transitive.
External: Between separate forests, non-transitive, uses SID filtering.
Tree-root: Between forest root and new tree root, transitive, bidirectional.
Forest: Between forest root domains, transitive.
ESAE: Used for bastion forests.

Trust Attributes:

Transitive vs. Non-transitive:
- Transitive trusts extend trust to trusted objects of the child domain.
- Non-transitive trusts only trust the child domain itself.
One-way vs. Bidirectional:
- One-way: Trusted domain users can access resources in the trusting domain.
- Bidirectional: Users from both domains can access resources in each other.

II. Enumerating Trust Relationships

Get-ADTrust (PowerShell): Enumerates domain trust relationships using built-in tools.

Commands:

Import-Module activedirectory
Get-ADTrust -Filter *

PowerView (PowerShell): Provides functions for enumerating trusts, types, and authentication flow.

Commands:

Get-DomainTrust
Get-DomainTrustMapping
Get-DomainUser -Domain LOGISTICS.INLANEFREIGHT.LOCAL | select SamAccountName

netdom (Command-line): Retrieves domain information, including trusts, domain controllers, workstations, and servers.

Commands:

netdom query /domain:inlanefreight.local trust
netdom query /domain:inlanefreight.local dc
netdom query /domain:inlanefreight.local workstation

BloodHound: Visualizes trust relationships using the "Map Domain Trusts" pre-built query.

III. Key Takeaways

Domain trusts can introduce security vulnerabilities if misconfigured.
Understanding trust types and directions is crucial for assessment.
Enumeration tools like Get-ADTrust, PowerView, netdom, and BloodHound are essential.
It is very important to stay within the rules of engagement when testing domain trusts.
Trusts can be a great way for attackers to "pivot" from one domain to another.

Last updated 12 days ago