# Trust - Relationship - One-way * Domain B trusts A * Users in Domain A can access resources in Domain B * Users in Domain B cannot access resources in Domain A - Two-way * Domain A trusts Domain B * Domain B trusts Domain A * Authentication requests can be passed between the two domains in both directions ## Enumerate trusts between domains * Native `nltest` ```powershell nltest /trusted_domains ``` * PowerShell `GetAllTrustRelationships` ```powershell ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships() SourceName TargetName TrustType TrustDirection ---------- ---------- --------- -------------- domainA.local domainB.local TreeRoot Bidirectional ``` * netexec module `enum_trusts` ```powershell nxc ldap -u -p -M enum_trusts ``` ## Exploit trusts between domains :warning: Require a Domain-Admin level access to the current domain. | Source | Target | Technique to use | Trust relationship | |---|---|---|---| | Root | Child | Golden Ticket + Enterprise Admin group (Mimikatz /groups) | Inter Realm (2-way) | | Child | Child | SID History exploitation (Mimikatz /sids) | Inter Realm Parent-Child (2-way) | | Child | Root | SID History exploitation (Mimikatz /sids) | Inter Realm Tree-Root (2-way) | | Forest A | Forest B | PrinterBug + Unconstrained delegation ? | Inter Realm Forest or External (2-way) | ## References * [External Trusts Are Evil - 14 March 2023 - Charlie Clark (@exploitph)](https://exploit.ph/external-trusts-are-evil.html) * [Carlos Garcia - Rooted2019 - Pentesting Active Directory Forests public.pdf](https://www.dropbox.com/s/ilzjtlo0vbyu1u0/Carlos%20Garcia%20-%20Rooted2019%20-%20Pentesting%20Active%20Directory%20Forests%20public.pdf?dl=0) * [Training - Attacking and Defending Active Directory Lab - Altered Security](https://www.alteredsecurity.com/adlab)