Active Directory trusts allow authentication between domains. There are several types of trusts with different transitivity and directionality. Trusts rely on security identifiers and access tokens to enable authentication and authorization between domains. Attackers can abuse trusts to gain access across domains, such as through golden tickets that use stolen hash values to generate authentication tickets or by forging inter-trust tickets even after password changes. Forest trusts were also found to have vulnerabilities that could allow administrators in one forest to compromise resources in a trusted forest.

1. ACTIVE DIRECTORY TRUSTS

2. • YATIN WADHWA
• THREAT ANALYST AT OPTIV INC
• TWITTER : @yatin309
• LINKEDIN : www.linkedin.com/in/yatin-
wadhwa-6214151a4
PS > GET-ADUSER

3. WHAT ARE TRUSTS ?
• A trust is a relationship, which you establish between
domains, that makes it possible for users in one domain to
access shared resources in a different domain.
• A trust links up the authentication systems of two (or more)
domains and allows authentication traffic to flow between
them.

4. TRUST TYPES
TRUST TYPE TRANSITIVITY DIRECTION
PARENT - CHILD TRANSITIVE TWO - WAY
TREE - ROOT TRANSITIVE TWO - WAY
SHORTCUT TRANSITIVE ONE-WAY OR TWO-WAY
FOREST TRANSITIVE ONE-WAY OR TWO-WAY
EXTERNAL NON-TRANSITIVE ONE-WAY OR TWO-WAY
REALM TRANSITIVE OR NON-TRANSITIVE ONE-WAY OR TWO-WAY

5. TRUST PATH
https://technet.microsoft.com/en-us/library/cc759554(v=ws.10).aspx

6. TRUST PATH
Enumeration from Domain testlab.local :
Enumeration from Domain contoso.local :

7. Scenario 1
Scenario 2

8. • Security Identifiers (SIDs)
• Access Token and Authentication
• Security Descriptors and Authorization
• SID History
• SID Filtering
TRUST COMPONENTS

9. • FOREST AUTHENTICATION
• SELECTIVE AUTHENTICATION
AUTHENTICATION MECHANISMS

10. KERBEROS AUTHENTICATION
ACROSS TRUSTS
http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/

11. • Golden Ticket using SID History
Golden Tickets are forged Ticket Granting Ticket(TGT), also called authentication
tickets.
Once the attacker has the KRBTGT password hash, he/she can generate a ticket
which can be used on any machine in the domain.
Used to get valid TGS tickets from DCs in the AD forest and provides a great method
of persisting on a domain with access to everything.
ABUSE OF TRUSTS

12. Golden Ticket using SID History

13. Golden Ticket using SID History

14. Golden Ticket using SID History

15. Forging Inter Trust Tickets
• Well known remediation of the golden ticket attack is the changing
the password of KRBTGT account twice.
• Even if the KRBTGT account’s password is changed, the inter-realm
trust keys aren’t rotated.
• Forged Inter Trusts key can be used to impersonate an Enterprise
Admin and regain full domain/forest admin rights.

16. FOREST TRUSTS
• According to Microsoft, Forest is a security boundary as
stated in “What are Domain and Forests” document under
section Forests as Security Boundaries.
• In 2018, Lee Christensen from SpectorOps discovered a bug
which is called the “Printer Bug”.
• By Abusing the MS-RPRN() protocol, administrators in a
forest can compromise resources in a forest with which it
shares a two-way inter forest trust.

17. REFERENCES
1. http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-
domain-trusts/
2. http://www.harmj0y.net/blog/redteaming/the-trustpocalypse/
3. https://adsecurity.org/?p=1588
4. https://adsecurity.org/?p=1640

18. THANK YOU