One-Way inbound

SourceName      : dev.cyberbotic.io
TargetName      : dev-studio.com
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : 
TrustDirection  : Inbound
WhenCreated     : 8/16/2022 9:52:37 AM
WhenChanged     : 8/16/2022 9:52:37 AM

Enumerate the foreign domain across the trust

Get-DomainComputer -Domain dev-studio.com -Properties DnsHostName

dc.dev-studio.com

Enumerate any groups that contain users outside of its domain and return its members

GroupDomain             : dev-studio.com
GroupName               : Administrators
GroupDistinguishedName  : CN=Administrators,CN=Builtin,DC=dev-studio,DC=com
MemberDomain            : dev-studio.com
MemberName              : S-1-5-21-569305411-121244042-2357301523-1120
MemberDistinguishedName : CN=S-1-5-21-569305411-121244042-2357301523-1120,CN=ForeignSecurityPrincipals,DC=dev-studio,DC=com

Resolve SID

Hop this trust, by impersonating a member of this Studio Admins domain group

To hop a domain trust using Kerberos, we first need an inter-realm key.

Obtain a TGT for the target user (here I am using asktgt with their AES256 hash)

Use that TGT to request a referral ticket from the current domain to the target domain

Finally, use this inter-realm ticket to request TGS's in the target domain.

Here, I'm requesting a ticket for CIFS.

Last updated