search
LinkedInGithub
githubEdit

cross-forect-trust-abuse-from-linux

Cross-forest Kerberoasting

Kerberos attacks such as Kerberoasting and ASREPRoasting can be performed across trusts, depending on the trust direction. In a situation where you are positioned in a domain with either an inbound or bidirectional domain/forest trust, you can likely perform various attacks to gain a foothold. Sometimes you cannot escalate privileges in your current domain, but instead can obtain a Kerberos ticket and crack a hash for an administrative user in another domain that has Domain/Enterprise Admin privileges in both domains.

hashtag
Enumerating accounts for associated SPNs (PowerView) 

Get-DomainUser -SPN -Domain FREIGHTLOGISTICS.LOCAL | select SamAccountName

hashtag
Enumerate user's group information 

Get-DomainUser -Domain FREIGHTLOGISTICS.LOCAL -Identity mssqlsvc |select samaccountname,memberof

hashtag
Perform a Kerberoasting attack across the trust (get full admin rights) 

.\Rubeus.exe kerberoast /domain:FREIGHTLOGISTICS.LOCAL /user: <domain_admins group username> /nowrap

hashtag
Admin password re-use & Group membership

From time to time, we'll run into a situation where there is a bidirectional forest trust managed by admins from same company. If we can take control over Domain A and obtain cleartext password, so we should try to use same passwords on Domain B on different forests, we may get slightly higher privileges.

  • Enumerate users or admins from Domain A as members of a group in Domain B 

Get-DomainForeignGroupMember -Domain FREIGHTLOGISTICS.LOCAL

hashtag
Access DC/domain (powerview)

hashtag
SID history Abuse - cross forest

  • SID History can also be abused across a forest trust. If a user is migrated from one forest to another and SID Filtering is not enabled, it becomes possible to add a SID from the other forest, and this SID will be added to the user's token when authenticating across the trust. If the SID of an account with administrative privileges in Forest A is added to the SID history attribute of an account in Forest B, assuming they can authenticate across the forest, then this account will have administrative privileges when accessing resources in the partner forest.

Previousattacking-domain-trusts-cross-forest-trust-abuse-from-windows.mdNextcross-forest-trust-abuse-from-linux

Last updated