When a trust is enumerated from the trusting domain, it is marked as outbound trust and if the trust is enumerated from a trusted domain, it is marked as inbound trust.
In this scenario, there are 2 types of trust: Parent-child trust between testlab.local and dev.testlab.local Forest trust between testlab.local and contoso.local. In this case, testlab.local is the trusting domain and contoso.local is the trusted domain.
So as you can see in the first screenshot, since testlab.local is the trusting forest with respect to contoso.local, the enumeration from testlab.local is marked as outbound.
Security Identifiers – Domain unique values, built when the user group is created. Access Token and Authentication – involves identifying the user to the local or trusted domain by presenting credentials. Once the credentials are acceptable, system creates an access token. Security Descriptors and Authorization – process determines what a user is permitted to do on a resource. SID History – When a user is migrated, their old security identifier, can optionally be added to sidHistory attribute of their new account. When the new user attempts to access a resource, if the SID or SID history matches, access to the resource is granted or denied, according to access spoofed in ACL. SID Filtering –prevents domains from accepting SIDs with domain SIDs outside the senders domain.
Forest Authentication – When forest authentication is enabled, users who are authenticated over inter forest trust are automatically provided the Authenticated Users SID of the trusting forest in their authorization data. Authenticated users is a group that includes all users whose identities were authenticated when they logged on. As they are provided Authenticated Users SID, the users from the other forests receive default rights to all of the resources in trusting domain.
Selective Authentication – Provides a more restrictive pathway in which only authentication requests made from a trusted forest, who have been granted access to the AD objects hosting the resources in a trusting forest, can be authenticated by domain controller in the resource domain.
In this scenario, there is a parent-child relationship between testlab.local and dev.testlab.local. The domain dev.testlab.local was compromised and the ntlm hash of the krbtgt account was extracted. As a low privileged user, kkapoor, when we tried to access domain controller of both child and parent domain, it failed.
By using ntlm password hash of the krbtgt account, a golden ticket was created. The interesting thing to note is the “sids” attribute. This parameter allows us to use the sidHistory attribute. We have added the RID (519) which means Enterprise admins. This will ensure that we get admin access on all the domains in the forest.
After the golden ticket was created and inject into the current session. We are now able to access domain controller of the child domain and parent domain.
To summarize, once a child domain is compromised, the entire forest can be taken down.
This attack wont work across trust due to SID filtering mechanism.
Why would we need to forge the inter trust keys?
Once the KRBTGT account password has been changed twice, the attacker wont be able to create or use golden tickets anymore. So in this case, it would be a good idea to forge inter trust keys because the inter trust keys password is rotated automatically every 30 days and it is not affected by change of the KRBTGT account password hash.
WHAT ARE TRUSTS ?
• A trust is a relationship, which you establish between
domains, that makes it possible for users in one domain to
access shared resources in a different domain.
• A trust links up the authentication systems of two (or more)
domains and allows authentication traffic to flow between
TRUST TYPE TRANSITIVITY DIRECTION
PARENT - CHILD TRANSITIVE TWO - WAY
TREE - ROOT TRANSITIVE TWO - WAY
SHORTCUT TRANSITIVE ONE-WAY OR TWO-WAY
FOREST TRANSITIVE ONE-WAY OR TWO-WAY
EXTERNAL NON-TRANSITIVE ONE-WAY OR TWO-WAY
REALM TRANSITIVE OR NON-TRANSITIVE ONE-WAY OR TWO-WAY
• Golden Ticket using SID History
Golden Tickets are forged Ticket Granting Ticket(TGT), also called authentication
Once the attacker has the KRBTGT password hash, he/she can generate a ticket
which can be used on any machine in the domain.
Used to get valid TGS tickets from DCs in the AD forest and provides a great method
of persisting on a domain with access to everything.
ABUSE OF TRUSTS
Forging Inter Trust Tickets
• Well known remediation of the golden ticket attack is the changing
the password of KRBTGT account twice.
• Even if the KRBTGT account’s password is changed, the inter-realm
trust keys aren’t rotated.
• Forged Inter Trusts key can be used to impersonate an Enterprise
Admin and regain full domain/forest admin rights.
• According to Microsoft, Forest is a security boundary as
stated in “What are Domain and Forests” document under
section Forests as Security Boundaries.
• In 2018, Lee Christensen from SpectorOps discovered a bug
which is called the “Printer Bug”.
• By Abusing the MS-RPRN() protocol, administrators in a
forest can compromise resources in a forest with which it
shares a two-way inter forest trust.