What is a Domain Trust Exploitation?

Domain Trust Exploitation refers to the abuse of trust relationships between domains within a network, often within environments using Active Directory (AD). In these environments, domains can establish trust relationships to allow users in one domain to access resources in another. While these trusts are necessary for managing access in large networks, they can be exploited if not properly secured.

Core Concept of Domain Trust Exploitation

• Trust Relationships:
  Trusts are connections established between domains to allow shared access to resources. They can be:

One-way or Two-way: 
Allowing access in one direction or both.

Transitive or Non-transitive: 
Allowing or restricting trust to extend beyond the immediate domains

Types of Domain Trusts in Active Directory

In Active Directory, domain trusts are relationships established between domains to allow access to resources across them. Here are the main types of domain trusts:

1. External Trust  
   A one-way or two-way non-transitive trust between domains in different forests.

   Use Case: 
   Facilitates access to resources in a domain located in a separate forest

2. Forest Trust
   A one-way or two-way transitive trust between two Active Directory forests.

   Use Case: 
   Allows resource sharing across all domains within both forests, typically used in cases of organizational mergers or collaborations

3. Shortcut Trust
   A one-way or two-way transitive trust between domains in the same forest.

   Use Case: 
   Optimizes authentication processes and reduces latency for users accessing resources in another domain within the same forest

4. Realm Trust
   A one-way or two-way trust between a Windows domain and a non-Windows Kerberos realm.

   Use Case: 
   Facilitates interoperability between Windows domains and other Kerberos-based environments, such as UNIX or Linux systems

5. Parent-Child Trust
   An automatically created, two-way transitive trust between a parent domain and a child domain within the same forest.

   Use Case: 
   Enables resource sharing and user access between parent and child domains

6. Tree-Root Trust
   An automatically created, two-way transitive trust between the root domain of one tree and the root domain of another tree within the same forest.

   Use Case: 
   Allows resource sharing between different domain trees within the same forest

How does it work?

Exploitation methods for domain trusts involve various techniques that attackers use to abuse trust relationships between domains in an Active Directory environment. 

One prevalent method is Pass-the-Hash (PtH), where attackers capture and reuse hashed password values (NTLM hashes) to authenticate across trusted domains. Another technique, Pass-the-Ticket (PtT), involves capturing and reusing Kerberos tickets to gain unauthorized access to resources in different domains. 

SID History Injection allows attackers to insert unauthorized Security Identifiers (SIDs) into a user’s SID history, providing access to resources in trusted domains. Kerberoasting involves requesting and cracking service tickets for service accounts to obtain passwords. 

Silver Ticket attacks enable attackers to forge Kerberos service tickets for accessing specific services, while Golden Ticket attacks involve forging Ticket Granting Tickets (TGTs), which grant extensive privileges and access across all domains within a forest. These methods underscore the critical need to secure domain trusts and monitor for unusual activities to prevent such attacks.

Happy Learning !!