InternalAllTheThings/docs/active-directory/trust-relationship.md

# Trust - Relationship

- One-way
  * Domain B trusts A
  * Users in Domain A can access resources in Domain B
  * Users in Domain B cannot access resources in Domain A
- Two-way
  * Domain A trusts Domain B
  * Domain B trusts Domain A
  * Authentication requests can be passed between the two domains in both directions


## Enumerate trusts between domains

* Native `nltest`
  ```powershell
  nltest /trusted_domains
  ```
* PowerShell `GetAllTrustRelationships`
  ```powershell
  ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()

  SourceName          TargetName                    TrustType      TrustDirection
  ----------          ----------                    ---------      --------------
  domainA.local      domainB.local                  TreeRoot       Bidirectional
  ```
* netexec module `enum_trusts`
  ```powershell
  nxc ldap <ip> -u <user> -p <pass> -M enum_trusts 
  ```


## Exploit trusts between domains

:warning: Require a Domain-Admin level access to the current domain.

| Source     | Target  | Technique to use  | Trust relationship  |
|---|---|---|---|
| Root      | Child  | Golden Ticket + Enterprise Admin group (Mimikatz /groups) | Inter Realm (2-way)  |
| Child     | Child  | SID History exploitation (Mimikatz /sids)                 | Inter Realm Parent-Child (2-way)  |
| Child     | Root   | SID History exploitation (Mimikatz /sids)                 | Inter Realm Tree-Root (2-way)  |
| Forest A  | Forest B  | PrinterBug + Unconstrained delegation ?  | Inter Realm Forest or External (2-way)  |


## References

* [External Trusts Are Evil - 14 March 2023 - Charlie Clark (@exploitph)](https://exploit.ph/external-trusts-are-evil.html)
* [Carlos Garcia - Rooted2019 - Pentesting Active Directory Forests public.pdf](https://www.dropbox.com/s/ilzjtlo0vbyu1u0/Carlos%20Garcia%20-%20Rooted2019%20-%20Pentesting%20Active%20Directory%20Forests%20public.pdf?dl=0)
* [Training - Attacking and Defending Active Directory Lab - Altered Security](https://www.alteredsecurity.com/adlab)
AD - Pages v0.6 2023-12-03 19:54:06 +00:00			`# Trust - Relationship`

AD - Pages v0.9 2023-12-04 08:56:01 +00:00			`- One-way`
AD - Pages v0.6 2023-12-03 19:54:06 +00:00			`* Domain B trusts A`
			`* Users in Domain A can access resources in Domain B`
			`* Users in Domain B cannot access resources in Domain A`
AD - Pages v0.9 2023-12-04 08:56:01 +00:00			`- Two-way`
AD - Pages v0.6 2023-12-03 19:54:06 +00:00			`* Domain A trusts Domain B`
			`* Domain B trusts Domain A`
			`* Authentication requests can be passed between the two domains in both directions`


			`## Enumerate trusts between domains`

			* Native `nltest`
			```powershell
			`nltest /trusted_domains`
			```
			* PowerShell `GetAllTrustRelationships`
			```powershell
			`([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()`

			`SourceName TargetName TrustType TrustDirection`
			`---------- ---------- --------- --------------`
			`domainA.local domainB.local TreeRoot Bidirectional`
			```
switch to nxc as cme is archived 2024-03-29 21:24:52 +00:00			* netexec module `enum_trusts`
AD - Pages v0.6 2023-12-03 19:54:06 +00:00			```powershell
switch to nxc as cme is archived 2024-03-29 21:24:52 +00:00			`nxc ldap <ip> -u <user> -p <pass> -M enum_trusts`
AD - Pages v0.6 2023-12-03 19:54:06 +00:00			```


			`## Exploit trusts between domains`

			`:warning: Require a Domain-Admin level access to the current domain.`

			`\| Source \| Target \| Technique to use \| Trust relationship \|`
			`\|---\|---\|---\|---\|`
			`\| Root \| Child \| Golden Ticket + Enterprise Admin group (Mimikatz /groups) \| Inter Realm (2-way) \|`
			`\| Child \| Child \| SID History exploitation (Mimikatz /sids) \| Inter Realm Parent-Child (2-way) \|`
			`\| Child \| Root \| SID History exploitation (Mimikatz /sids) \| Inter Realm Tree-Root (2-way) \|`
AD - Pages v0.7 2023-12-03 21:54:23 +00:00			`\| Forest A \| Forest B \| PrinterBug + Unconstrained delegation ? \| Inter Realm Forest or External (2-way) \|`


			`## References`

			`* [External Trusts Are Evil - 14 March 2023 - Charlie Clark (@exploitph)](https://exploit.ph/external-trusts-are-evil.html)`
Adding references for Altered Security labs 2024-05-24 08:48:55 +00:00			`* [Carlos Garcia - Rooted2019 - Pentesting Active Directory Forests public.pdf](https://www.dropbox.com/s/ilzjtlo0vbyu1u0/Carlos%20Garcia%20-%20Rooted2019%20-%20Pentesting%20Active%20Directory%20Forests%20public.pdf?dl=0)`
			`* [Training - Attacking and Defending Active Directory Lab - Altered Security](https://www.alteredsecurity.com/adlab)`