Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / Trusts

Information

Domain trusts define which identities can request access across domain or forest boundaries. A trust does not automatically mean full compromise, but it changes where Kerberos referrals, group membership, SID filtering, and resource authorization have to be evaluated.

We treat trusts as attack paths. First we identify the direction and type of trust. Then we decide whether we are with the direction of access, against it, or inside a parent-child relationship where SIDHistory can become the escalation primitive.

The key objects are trusted domain objects, trust accounts, foreign security principals, and tickets that contain extra SIDs. The key secrets are the krbtgt key for parent-child escalation and the inter-realm trust key for one-way trust abuse.

Tools used in this section include PowerView, Impacket, Rubeus, Mimikatz, NetExec, BloodHound, and bloodyAD.

Lab defaults

Primary domain: ootw.local
Primary DC: 10.10.10.200
Kali: 10.10.10.100
Student user: student
Student password: student

Common variables

export DC=10.10.10.200
export DOMAIN=ootw.local
export BASE='DC=ootw,DC=local'
export USER=student
export PASS='student'

Trust direction values

1  Inbound from the perspective of the queried domain
2  Outbound from the perspective of the queried domain
3  Bidirectional

Trust type values

1  Downlevel trust
2  Active Directory trust
3  MIT Kerberos realm trust
4  DCE trust

Common trust attributes

0x00000004  QUARANTINED_DOMAIN
0x00000008  FOREST_TRANSITIVE
0x00000010  CROSS_ORGANIZATION
0x00000020  WITHIN_FOREST
0x00000040  TREAT_AS_EXTERNAL
0x00000080  USES_RC4_ENCRYPTION
0x00000200  CROSS_ORGANIZATION_NO_TGT_DELEGATION
0x00000800  PIM_TRUST