# Domain Trust Overview - For example, when a merger or acquisition occurs, a trust relationship can be established between domains instead of migrating all the established objects - This makes making integration much quicker but also introduces potential vulns - As another example, companies may establish a trust relationship with an MSP, across business unit, or across regional offices - Formally, a trust creates a link between the authentication systems of two domains and may allow either one-way or two-way (bidirectional) communication - Types of trusts: - `Parent-child`: Two or more domains within the same forest. The child domain has a two-way transitive trust with the parent domain, meaning that users in the child domain `corp.inlanefreight.local` could authenticate into the parent domain `inlanefreight.local`, and vice-versa. - `Cross-link`: A trust between child domains to speed up authentication. - `External`: A non-transitive trust between two separate domains in separate forests which are not already joined by a forest trust. This type of trust utilizes [SID filtering](https://www.serverbrain.org/active-directory-2008/sid-history-and-sid-filtering.html) or filters out authentication requests (by SID) not from the trusted domain. - `Tree-root`: A two-way transitive trust between a forest root domain and a new tree root domain. They are created by design when you set up a new tree root domain within a forest. - `Forest`: A transitive trust between two forest root domains. - [ESAE](https://docs.microsoft.com/en-us/security/compass/esae-retirement): A bastion forest used to manage Active Directory. - Example of various trust types:![[images/Pasted image 20251106192410.png]] - Trusts can be transitive or non-transitive: - A `transitive` trust means that trust is extended to objects that the child domain trusts. - For example, let's say we have three domains. In a transitive relationship, if `Domain A` has a trust with `Domain B`, and `Domain B` has a `transitive` trust with `Domain C`, then `Domain A` will automatically trust `Domain C`. - In a `non-transitive trust`, the child domain itself is the only one trusted. - Trusts can be unidirectional or bidirectional: - `One-way trust`: Users in a `trusted` domain can access resources in a trusting domain, not vice-versa. - `Bidirectional trust`: Users from both trusting domains can access resources in the other domain. - For example, in a bidirectional trust between `INLANEFREIGHT.LOCAL` and `FREIGHTLOGISTICS.LOCAL`, users in `INLANEFREIGHT.LOCAL` would be able to access resources in `FREIGHTLOGISTICS.LOCAL`, and vice-versa. # Enumerating Trust Relationships - Use the built-in `Get-ADTrust` cmdlet ```powershell PS C:\htb> Import-Module activedirectory PS C:\htb> Get-ADTrust -Filter * ``` ![[images/Pasted image 20251106194553.png]] - `PowerView` and `BloodHound` can also be used to trust relationships - Here we use `Get-DomainTrust` from `PowerView` ```powershell PS C:\htb> Import-Module .\PowerView.ps1 PS C:\htb> Get-DomainTrust ``` ![[images/Pasted image 20251106194632.png]] - Use `Get-DomainTrustMapping` from `PowerView` to provide information such as the type of trust (parent/child, external, forest) and the direction of the trust (one-way or bidirectional) - This information is beneficial once a foothold is obtained, and we plan to compromise the environment further. ```powershell PS C:\htb> Get-DomainTrustMapping ``` ![[images/Pasted image 20251106194945.png]] - Armed with this new info, we can perform enumeration across trusts - Here we use `Get-DomainUser` from `PowerView` to enumerate users in a child domain ```powershell PS C:\htb> Get-DomainUser -Domain LOGISTICS.INLANEFREIGHT.LOCAL | select SamAccountName samaccountname -------------- htb-student_adm Administrator Guest lab_adm krbtgt ``` - Use `netdom` to query domain trust ```cmd C:\htb> netdom query /domain:inlanefreight.local trust Direction Trusted\Trusting domain Trust type ========= ======================= ========== <-> LOGISTICS.INLANEFREIGHT.LOCAL Direct Not found <-> FREIGHTLOGISTICS.LOCAL Direct Not found The command completed successfully. ``` - Use `netdom` to query DCs ```cmd C:\htb> netdom query /domain:inlanefreight.local dc List of domain controllers with accounts in the domain: ACADEMY-EA-DC01 The command completed successfully. ``` - Use `netdom` to query workstations and servers ```cmd C:\htb> netdom query /domain:inlanefreight.local workstation List of workstations with accounts in the domain: ACADEMY-EA-MS01 ACADEMY-EA-MX01 ( Workstation or Server ) SQL01 ( Workstation or Server ) ILF-XRG ( Workstation or Server ) MAINLON ( Workstation or Server ) CISERVER ( Workstation or Server ) INDEX-DEV-LON ( Workstation or Server ) ...SNIP... ```