search

πŸ”—Domain Trusts Primer

hashtag
🎯 HTB Academy: Active Directory Enumeration & Attacks

hashtag
πŸ“ Overview

Domain Trusts are authentication relationships between Active Directory domains/forests that allow users to access resources across domain boundaries. Understanding trust relationships is critical for penetration testers as they often provide unintended attack paths and "end-around" routes into target environments, especially in M&A scenarios where security may not have been properly considered during trust establishment.

hashtag
πŸ—οΈ Domain Trust Types

hashtag
Trust Classifications

Trust Type
Description
Use Case

Parent-child

Two-way transitive trust within same forest

Child domain ↔ Parent domain authentication

Cross-link

Trust between child domains

Speed up authentication between siblings

External

Non-transitive trust between separate forests

Business partnerships, limited access

Tree-root

Two-way transitive between forest root and new tree

New tree root domain creation

Forest

Transitive trust between forest root domains

Complete forest-to-forest access

ESAE

Bastion forest for AD management

High-security administrative isolation

hashtag
Trust Properties

hashtag
Transitivity:

  • Transitive: Trust extends through relationships (Aβ†’Bβ†’C = Aβ†’C)

  • Non-transitive: Direct trust only, no extension

hashtag
Direction:

  • One-way: Trusted domain users access trusting domain resources

  • Bidirectional: Mutual access between both domains

hashtag
πŸ” Trust Enumeration Techniques

hashtag
Method 1: Built-in AD Module

hashtag
Method 2: PowerView

hashtag
Method 3: netdom

hashtag
Method 4: BloodHound

  • Pre-built query: "Map Domain Trusts"

  • Visual representation: Trust relationships and directions

  • Attack path analysis: Trust-based privilege escalation routes

hashtag
🎯 HTB Academy Lab Solutions

hashtag
Lab Environment Setup

hashtag
πŸ” Question 1: "What is the child domain of INLANEFREIGHT.LOCAL?"

Solution:

🎯 Answer: LOGISTICS.INLANEFREIGHT.LOCAL

Analysis: Look for TrustAttributes : WITHIN_FOREST to identify child domains.

hashtag
🌲 Question 2: "What domain does INLANEFREIGHT.LOCAL have a forest transitive trust with?"

Solution:

🎯 Answer: FREIGHTLOGISTICS.LOCAL

Analysis: Look for TrustAttributes : FOREST_TRANSITIVE to identify forest trusts.

hashtag
↔️ Question 3: "What direction is this trust?"

Solution:

🎯 Answer: Bidirectional

Analysis: TrustDirection : Bidirectional indicates mutual access between forests.

hashtag
⚠️ Security Implications

hashtag
Attack Vectors Through Trusts

  • Cross-domain privilege escalation: Compromise child β†’ attack parent

  • Forest-to-forest attacks: External trust exploitation

  • Kerberoasting across trusts: Service accounts in trusted domains

  • "End-around" attacks: Target softer trusted domains for indirect access

hashtag
Assessment Considerations

  • Scope verification: Ensure trusted domains are within Rules of Engagement

  • Trust purpose analysis: Legitimate business need vs security risk

  • Bidirectional risk: Mutual access increases attack surface

  • M&A trust reviews: Recently acquired companies may have weaker security posture

hashtag
πŸ”‘ Key Takeaways

hashtag
Trust Enumeration Workflow

hashtag
Critical Trust Attributes

  • WITHIN_FOREST: Child domain relationship (high attack value)

  • FOREST_TRANSITIVE: External forest trust (lateral movement opportunity)

  • Bidirectional: Mutual access (increased attack surface)

hashtag
Professional Impact

  • Reconnaissance foundation: Trust discovery enables advanced attack planning

  • Risk assessment: Understanding trust implications for organizational security

  • Attack path identification: Trust relationships often provide privilege escalation routes

πŸ”— Domain trust enumeration provides critical infrastructure mapping for advanced Active Directory attacks - essential foundation for trust-based privilege escalation and cross-domain exploitation!

PreviousMiscellaneous MisconfigurationsNextChild β†’ Parent Trust Attacks

Last updated