Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / Trusts

Enumeration

Trust enumeration starts with direction, type, attributes, and foreign membership. Do this before trying to abuse anything. Most failed trust attacks come from standing on the wrong side of the relationship or misunderstanding which domain owns the useful SID.

Linux variables

export DC=10.10.10.200
export DOMAIN=ootw.local
export BASE='DC=ootw,DC=local'
export USER=student
export PASS='student'

Trusted domain objects

ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(objectClass=trustedDomain)' name trustPartner trustDirection trustType trustAttributes flatName securityIdentifier objectGUID

Trust accounts

ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(samAccountType=805306370)' samAccountName distinguishedName userAccountControl primaryGroupID

Foreign security principals

ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(objectClass=foreignSecurityPrincipal)' cn memberOf distinguishedName

SIDHistory

ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(sIDHistory=*)' sAMAccountName distinguishedName sIDHistory

NetExec

nxc ldap $DC -d $DOMAIN -u $USER -p "$PASS" -M get-trusts

Windapsearch

python3 windapsearch.py -d $DOMAIN -u $USER -p "$PASS" --dc-ip $DC --trusted

BloodHound

bloodhound-python -d ootw.local -u student -p 'student' -ns 10.10.10.200 -c Trusts,DCOnly

bloodhound-python -d ootw.local -u student -p 'student' -ns 10.10.10.200 -c All

PowerView

Get-DomainTrust

Get-ForestTrust

Get-DomainTrustMapping

Get-DomainForeignUser

Get-DomainForeignGroupMember

Get-DomainObject -LDAPFilter '(objectClass=foreignSecurityPrincipal)' -Properties cn,memberOf

Get-DomainObject -LDAPFilter '(sIDHistory=*)' -Properties samaccountname,sidhistory

AD module

Get-ADTrust -Filter * -Properties * | Select-Object Name,Direction,TrustType,TrustAttributes,Target

Get-ADObject -LDAPFilter '(objectClass=trustedDomain)' -Properties *

Get-ADObject -LDAPFilter '(objectClass=foreignSecurityPrincipal)' -Properties memberOf

Get-ADObject -LDAPFilter '(sIDHistory=*)' -Properties sIDHistory

DNS discovery

nslookup -type=SRV _ldap._tcp.dc._msdcs.ootw.local 10.10.10.200

nslookup -type=SRV _kerberos._tcp.ootw.local 10.10.10.200

Resolve a foreign SID

ldapsearch -LLL -x -H ldap://<SOURCE_DC> -D '<SOURCE_DOMAIN>\<USER>' -w '<PASS>' -b '<SOURCE_BASE_DN>' '(objectSid=S-1-5-21-1111111111-2222222222-3333333333-1105)' samAccountName distinguishedName objectClass

Direction sanity

Inbound from our perspective means the other domain's principals may be trusted to access our resources.

Outbound from our perspective means our principals may be trusted to access the other domain's resources.

Bidirectional means both sides can issue referrals for access decisions.