mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-29 07:00:31 +00:00
102 lines
2.8 KiB
Markdown
102 lines
2.8 KiB
Markdown
# Domain Enumeration - Trusts
|
|
|
|
In AD , trust is a relationship b/w domains or forest that allows user of one domain or forest to access resources in other domain or forest, trust can be automatic (parent-child).
|
|
TDOs (Trusted Domain Objects) represent the trust relationship in a domain
|
|
|
|
## One way trust
|
|
It's an undirectional trust in which users in trusted domain can access resources in trusting domain (resource) but cannot be done in reverse
|
|
|
|
## Two way trust (bi directional)
|
|
Users of both domains can access resources in the other domain
|
|
|
|
## Trust Transitivity
|
|
Trust can be extended to establish trust relationships with othe domains
|
|
|
|
### Transitive
|
|
All default intra-forest trust relationships (tree-root, parent-child) between domains within a same forest are transitive two-way trust
|
|
|
|
### Non-transitive
|
|
Cannot be extended to other domains in forest , can be two-way or one-way, this is the default trust (called external trust) between two domains in different forest do not have a trust realtionship.
|
|
|
|
## Domain Trusts
|
|
|
|
### Default/Automatic Trusts
|
|
|
|
- Parent-child trust , it's created automatically b/w new domain and domain that preceeds it in the namespace hierarrchy , whenever a new domain is added in a tree , for example `dollarcorp.moenycorp.local` is a child of `moneycorp.local`, trust will always be bi-directional
|
|
- Tree-root trust , it's created automatically whenever a new domain tree is added to a forest root , this trust is bi-directional as well
|
|
|
|
### Shortcut Trusts
|
|
Used to reduce access time in complex trust scenarios , can be one way or two way transitive
|
|
|
|
### External Trust
|
|
External trust b/w two domains in different forests when forests do not have a trust relationship , can be one way or two way
|
|
|
|
# Domain Trust mapping
|
|
|
|
## Powerview commands
|
|
|
|
### Get list of all domain trusts for current domain
|
|
|
|
```
|
|
Get-NetDomainTrust
|
|
Get-NetDomainTrust -Domain domain_name
|
|
```
|
|
|
|
## AD Module
|
|
|
|
### Get list of all domain trusts for current domain
|
|
|
|
```
|
|
Get-ADTrust
|
|
Get-ADTrust- Identity domain_name
|
|
```
|
|
|
|
# Forest Mapping
|
|
## Power View
|
|
|
|
### Get details about current forest
|
|
|
|
```
|
|
Get-NetForest
|
|
Get-NetForest -Forest name
|
|
```
|
|
|
|
### Get all domains in current forest
|
|
|
|
```
|
|
Get-NetForestDomain
|
|
Get-NetForestDomain -Forest name
|
|
```
|
|
|
|
### Get all global catalogs for current forest
|
|
```
|
|
Get-NetForestCatalog
|
|
Get-NetForestCatalog -Forest name
|
|
```
|
|
### Map trusts of a forest
|
|
```
|
|
Get-NetForestTrust
|
|
Get-NetForestTrust -Forest name
|
|
```
|
|
|
|
## AD Module
|
|
|
|
### Get details about current forest
|
|
```
|
|
Get-ADForest
|
|
Get-ADForest -Identity name
|
|
```
|
|
|
|
### Get all domains in current forest
|
|
```
|
|
(Get-ADForest).Domain
|
|
```
|
|
|
|
### Get all global catalogs for current forest
|
|
```
|
|
Get-ADForest | select -ExpandPropery GlobalCatalogs
|
|
```
|
|
### Map trusts of a forest
|
|
```
|
|
Get-ADTrust -Filter 'msDS0TrustForestTrustInfo -ne "$null$"'
|
|
```
|