domain trusts

Mimikatz and DCSync and ExtraSids, Oh My

Edit: Benjamin reached out and corrected me on a few points, which I’ve updated throughout the post. Importantly, with the ExtraSids (/sids) for the injected Golden Ticket, you need to specify S-1-5-21domain-516 (“Domain Controllers”) and S-1-5-9 (“Enterprise Domain Controllers”), as well as the SECONDARY$ domain controller SID in order to properly slip by some of the event …

Mimikatz and DCSync and ExtraSids, Oh My Read More »

The Trustpocalypse

I’ve talked about domain trusts more than many people probably care about. A few weeks ago I posted “Domain Trusts: We’re Not Done Yet” – apparently there’s even more! I’ve said before that trusts will not let you magically exploit a domain. I now need to add one caveat to that statement concerning Golden Tickets and external sids, …

The Trustpocalypse Read More »

Domain Trusts: We’re Not Done Yet

[Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Invoke-FindUserTrustGroups  ->  Find-ForeignUser Invoke-FindAllUserTrustGroups  ->  Find-ForeignUser -Recurse Invoke-FindGroupTrustUsers  ->  Find-ForeignGroup Invoke-MapDomainTrusts  ->  Invoke-MapDomainTrust Get-NetDomainControllers  ->  Get-NetDomainController Invoke-EnumerateLocalAdmins  ->  Invoke-EnumerateLocalAdmin Invoke-EnumerateLocalTrustGroups  ->  Invoke-EnumerateLocalAdmin -TrustGroups A few months ago, my colleague @sixdub and I presented our talk “Trusts You Might Have Missed” at BSides Chicago (the slides are posted here). We covered a lot of information that …

Domain Trusts: We’re Not Done Yet Read More »

Domain Trusts: Why You Should Care

[Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Get-NetForestDomains  ->  Get-NetForestDomain Get-NetDomainTrusts  ->  Get-NetDomainTrust Get-NetForestTrusts  ->  Get-NetForestTrust Invoke-MapDomainTrusts  ->  Invoke-MapDomainTrust Invoke-FindUserTrustGroups  ->  Find-ForeignUser Get-NetDomainControllers  ->  Get-NetDomainController Red teams have been abusing Windows domain trusts for years with great success, but the topic is still underrepresented in public …

Domain Trusts: Why You Should Care Read More »

Trusts You Might Have Missed

[Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Get-NetForestTrusts  ->  Get-NetForestTrusts Get-NetForestDomains  ->  Get-NetForestDomain Get-NetDomainTrust  ->  Get-NetDomainTrust How often do you investigate trust relationships between Windows domains during a penetration test? You may have domain admin or other privileged access on your target and not even …

Trusts You Might Have Missed Read More »