This presentation was given at BSides Chicago 2015, and covers the enumeration and abuse of active directory domain trusts.

1. Trusts You
Might Have
Missed
Will (@harmj0y)
Justin (@sixdub)

2. @harmj0y
● Security researcher and red teamer for the
Adaptive Threat Division of Veris Group
● Co-founder of the Veil-Framework and Veil’s
PowerTools
● Cons: Shmoocon, CarolinaCon, Defcon,
Derbycon, various BSides

3. @sixdub
● Pentester and red teamer for the Adaptive
Threat Division of Veris Group
● Lots of interest: red team ops, reverse
engineering, adversarial tactics, etc
● Developer on the Veil-Framework and co-
founder of Veil’s PowerTools

4. tl;dr
● Red Team Operations
● Active Directory 101
● Domain Trusts 101
● So what?
● Back to the Old School
● New School Enumeration
● Visualizing Trusts
● Abusing Trusts
● Demo
● On The Horizon

5. Red
Team
Operations
Setting the stage

6. Red Teaming
● Red teaming means different things to
different people
o physical ops, in-depth social engineering, custom
exploit dev, pure network based operations, etc.
● Common thread of increased time frame and
more permissive scope
● Red Team Operations - military concept of
adversarial thinking that evolved into
adversary emulation

7. “Assume Breach” Mentality
● With the rash of recent major incidents,
organizations have started to realize that
they’re probably already owned
● You’re not going to stop the bad guys
from getting in the front door
● Companies need to implement an “assume
breach” way of thinking

8. Nothing New?
● Domain trusts have existed for years, and red
teams have been abusing them just as long
● While these techniques are public, they’re not
as well known as they should be
● Most of what we’re going to talk about is
possible through multiple means:
o VBScript, PowerShell, native tools
o Good to have alternative ways to accomplish the
same goal

9. Active
Directory
101
Let’s go back to school

10. Base Overview
● Multiple Levels
o Domain - Logical group of network objects
(computers, users etc)
o Trees - Collection of domains
o Forests - Collection of trees
● Used to authenticate and authorize users and
computers on a network
o Also provides security policies, centralized
management, and other rich features

11. Not So Basic Overview: NTLM
https://msdn.microsoft.com/en-us/library/ff647076.aspx#pagexplained0001_ntlmauthentication

12. Not So Basic Overview: Kerberos
http://msdn.microsoft.com/en-us/library/ff647076.aspx#pagexplained0001_kerberosauthentication

13. Active Directory Trusts 101
● Trusts allow separate domains to form a
relationship
o Allows for the possibility of access to objects
between domains. Authentication linkage!
o Allows you to use objects from a remote domain
 aka Users from Domain A can be in groups of
Domain B
● Forests can also establish trust relationships
o ex. All domains in Forest A will trust domains in
Forest B

14. Active Directory Trusts 201
● Communications in the trust work via a
system of referrals
o If the SPN being requested resides outside of
primary DC, issue a referral to the forest KDC or
trusted domain KDC to receive a ticket
o access is passed around with inter-realm TGTs
● Multiple configuration topographies available
that will determine the behavior of the trusts
o All a matter of design…

15. Trust Direction
http://technet.microsoft.com/en-us/library/cc759554(v=ws.10).aspx

16. Trust Types
● Trusts come in a few varieties:
o One way - Only one domain trusts the other
o Two way - Both domains trust each other
o Transitive - Domain A trusts Domain B and Domain
B trusts Domain C, so Domain A trusts Domain C
● A child domain retains an implicit trust with
its parent
● Lots more information at
http://technet.microsoft.com/en-
us/library/cc773178(v=ws.10).aspx

17. So What?
● Why does this matter?
● Red teams often compromise
accounts/machines in a domain that's
trusted by their actual target, allowing them
to exploit these existing trust relationships to
achieve their end goal
● And Enterprise Admin = pwnership over
everything below

18. Domain
Trust
Enumeration
Know what you have before
you start pwning

19. Old School Enumeration
● Traditional trust enumeration utilizing ntltest:

20. Old School Enumeration
● Netdom (from servers only):
o netdom query trust
● Adfind to enumerate trusts in other domains:

21. New School Enumeration
● PowerShell: Microsoft’s handy “post-
exploitation language” :)
● Essentially a command-line wrapper for
.NET with full access to the framework
● Contains various Active Directory hooks that
makes enumeration much easier and flexible
than before

22. ● To enumerate all domains in the forest:
o ([System.DirectoryServices.ActiveDirectory.Fore
st]::GetCurrentForest()).Domains
● To enumerate all trust relationships for the
current domain:
o ([System.DirectoryServices.ActiveDirectory.Dom
ain]::GetCurrentDomain()).GetAllTrustRelationsh
ips()
Trust Enumeration with PowerShell

23. Using Trusts With PowerShell
● A lot of ADSI native PowerShell AD
functionality can easily operate on domains
to which there's an existing trust:
o finding domain controllers, querying users,
enumerating domain groups, finding domain
machines, etc.
● All across trust boundaries with little extra
effort, using these enumerated domain
contexts

24. PowerView
● Think dsquery on steroids... and cocaine
● First started because a client banned “net”
commands on domain machines
● Otherwise initially inspired by Rob Fuller’s
netview.exe tool
o Wanted something more flexible that also didn’t drop
a binary to disk

25. PowerView: Enumerating Trusts
● PowerView has several new functions that
allow you to enumerate any existing
domain/forest trust relationships:
o Get-NetForest: information about the current
domain forest
o Get-NetForestTrusts: grab all forest trusts
o Get-NetForestDomains: enumerate all domains in
the current forest
o Get-NetDomainTrusts: find all current domain
trusts, á la nltest

26. PowerView: Enumerating Trusts

27. PowerView: Trust Mapping w/ LDAP!
● Sometimes the trust “enclave” is more
protected, and mass enumeration across a
boundary can seem strange
o Also, your workstation might not be able to directly
contact the DC of a trusted/ing domain
● Get-NetDomainTrustsLDAP - Utilizes
LDAP queries only to enumerate trusts
o Slightly less accurate… but blends better!
o And these LDAP queries can be bounced through
your primary DC!

28. PowerView: Using Trusts
● If a trust exists, most functions in PowerView
can now accept a -Domain <name> flag to
operate across a trust:
o Get-NetDomainControllers, Get-NetUsers, Get-
NetUser, Get-NetComputers, Get-NetGroups, Get-
NetGroup, Get-NetFileServers, Get-UserProperties,
Invoke-UserFieldSearch, Invoke-Netview, Invoke-
UserHunter, etc.

29. PowerView: Using Trusts

30. Mapping Domain Trusts
● PowerView also have a function to map all
reachable domain trusts:
o Invoke-MapDomainTrusts
o Invoke-MapDomainTrustsLDAP
● Finds all domain trusts for the current
domain, then tries to enumerate all trusts for
each domain it finds, and so on
● Can dump out a nice .csv of all current trust
relationships

31. Analysis
and
Visualization
Raw data ain’t nothin’

32. Motivations
● Many networks only have a few domains
and associated trusts
● While this raw data from PowerView is
useful, it can become onerous for networks
with many domains
o Think dozens+, all interconnected
● Data means nothing if you can’t interpret it
usefully

33. Nodal Analysis
● Concept of applying network and graph
theory techniques to identify relevant and
useful data
o Centrality
o Shortest Path
o Isolated Nodes
● DomainTrustExplorer!
o Used to rapidly triage large networks with a
spaghetti mess of trusts
o https://github.com/sixdub/DomainTrustExplorer

34. Nodal Analysis

35. Visualization
● Visual information processing is much easier
for some people
● Seemingly random relationships might reveal
important information when visualized in
certain methods
o Tree vs Node-Link vs Topological
● DomainTrustExplorer dumps to GraphML
format

38. Abusing
Domain
Trusts
The path to pwnership

39. Abusing Trusts
● As mentioned, knowing a trust exists can let
you query information, but it doesn’t
necessarily imply access
o though it often does ;)
● You need to figure out if any users have
cross-domain access and to what resources
in other domains
o trusts are rarely locked down properly, and you can
often jump from one domain to another

40. Abusing Trusts with PowerView
● To enumerate users who are in groups
outside of the user’s primary domain (i.e.
across trusts):
o Invoke-FindUserTrustGroups -Domain <domain>
o Invoke-FindAllUserTrustGroups
● To enumerate users who have local admin
privileges on all domain controllers in a
particular domain:
o Get-GetDomainControllers -Domain <domain> |
Get-NetLocalGroup

41. ● To enumerate groups with users outside of
the group’s primary domain:
o Invoke-FindGroupTrustUsers -Domain <domain>
o Invoke-FindAllGroupTrustUsers
● To find members of the administrators
localgroup outside of the primary domain for
all machines in a domain:
o Invoke-EnumerateLocalTrustGroups -Domain
<domain>
Abusing Trusts with PowerView:
BSides Chicago Edition

42. Abusing Trusts: A Case Study
● Say we land on a machine in the
dev.testlab.local domain and work our way
to the DC
● We want to compromise the testlab.local
forest root
o We’ll do this by abusing trust relationships with
another child domain in the forest
● We’ll step through enumeration,
visualization, and abuse

43. Demo

44. On
The
Horizon
Whats next...

45. Improved Data Analysis
● Working on methods to correlate PowerView
data with trust information to provide
additional context
o Think “this domain group has access to these cross-
domain resources”
● Goal of creating an offensive dashboard for
red team operations
o @_tomsteele has started some of this work already
https://github.com/tomsteele/domain-trust-grapher

46. Trust Keys

47. Trust Keys

48. Trust Keys
● The password for a domain trust account is
used to derive an inter-realm key for
encrypting referral tickets*
o Mimikatz can now extract these trust keys from
domain controllers participating in the trust
● These keys can be used to create “gold-ish”
trust tickets for the krbtgt service, with a
trusting domain as the target
o these in turn can be used to request TGSes for
specific services on the trusting domain
*https://msdn.microsoft.com/en-us/library/windows/desktop/aa378170(v=vs.85).aspx

49. Trust Keys:
A Domain Trust Golden Ticket
This means that even if the
krbtgt hash is rolled twice, you
can still abuse a privileged
domain trust and possibly
recompromise a domain from
a trusted source!

50. Questions?
● Contact us:
o @harmj0y (will [at] harmj0y.net) or keybase.io/harmj0y
o @sixdub (justin [at] sixdub.net) or keybase.io/sixdub
● Read more:
o http://www.harmj0y.net/blog/tag/domain-trusts/
o http://www.sixdub.net/?p=285
● Get the tools:
o https://github.com/Veil-
Framework/PowerTools/tree/master/PowerView
o https://github.com/sixdub/DomainTrustExplorer