Trust enumeration starts with direction, type, attributes, and foreign membership. Do this before trying to abuse anything. Most failed trust attacks come from standing on the wrong side of the relationship or misunderstanding which domain owns the useful SID.
Linux variables
export DC=10.10.10.200
export DOMAIN=ootw.local
export BASE='DC=ootw,DC=local'
export USER=student
export PASS='student'
Trusted domain objects
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(objectClass=trustedDomain)' name trustPartner trustDirection trustType trustAttributes flatName securityIdentifier objectGUID
Trust accounts
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(samAccountType=805306370)' samAccountName distinguishedName userAccountControl primaryGroupID
Foreign security principals
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(objectClass=foreignSecurityPrincipal)' cn memberOf distinguishedName
SIDHistory
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(sIDHistory=*)' sAMAccountName distinguishedName sIDHistory
NetExec
nxc ldap $DC -d $DOMAIN -u $USER -p "$PASS" -M get-trusts
Windapsearch
python3 windapsearch.py -d $DOMAIN -u $USER -p "$PASS" --dc-ip $DC --trusted
BloodHound
bloodhound-python -d ootw.local -u student -p 'student' -ns 10.10.10.200 -c Trusts,DCOnly
bloodhound-python -d ootw.local -u student -p 'student' -ns 10.10.10.200 -c All
PowerView
Get-DomainTrust
Get-ForestTrust
Get-DomainTrustMapping
Get-DomainForeignUser
Get-DomainForeignGroupMember
Get-DomainObject -LDAPFilter '(objectClass=foreignSecurityPrincipal)' -Properties cn,memberOf
Get-DomainObject -LDAPFilter '(sIDHistory=*)' -Properties samaccountname,sidhistory
AD module
Get-ADTrust -Filter * -Properties * | Select-Object Name,Direction,TrustType,TrustAttributes,Target
Get-ADObject -LDAPFilter '(objectClass=trustedDomain)' -Properties *
Get-ADObject -LDAPFilter '(objectClass=foreignSecurityPrincipal)' -Properties memberOf
Get-ADObject -LDAPFilter '(sIDHistory=*)' -Properties sIDHistory
DNS discovery
nslookup -type=SRV _ldap._tcp.dc._msdcs.ootw.local 10.10.10.200
nslookup -type=SRV _kerberos._tcp.ootw.local 10.10.10.200
Resolve a foreign SID
ldapsearch -LLL -x -H ldap://<SOURCE_DC> -D '<SOURCE_DOMAIN>\<USER>' -w '<PASS>' -b '<SOURCE_BASE_DN>' '(objectSid=S-1-5-21-1111111111-2222222222-3333333333-1105)' samAccountName distinguishedName objectClass
Direction sanity
Inbound from our perspective means the other domain's principals may be trusted to access our resources.
Outbound from our perspective means our principals may be trusted to access the other domain's resources.
Bidirectional means both sides can issue referrals for access decisions.