4 - LO 4️

Learning Object 4

Tasks

1 - Enumerate all domains in the moneycorp.local forest

2 - Map the trusts of the dollarcorp.moneycorp.local domain

3 - Map External trusts in moneycorp.local forest

4 - Identify external trusts of dollarcorp domain. Can you enumerate trusts for a trusting forest?

Flag 4 [Student VM] - Trust Direction for the trust between dollarcorp.moneycorp.local and eurocorp.local 🚩

Solutions

1 - Enumerate all domains in the moneycorp.local forest

Start InviShell and PowerView

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
. C:\AD\Tools\Powerview.ps1

Using Get-ForestDomain we obtain all domains relative to moneycorp.local forest

Get-DomainTrust -Domain dollarcorp.moneycorp.local | select TargetName,TrustAttributes,TrustDirection

TargetName                    TrustAttributes TrustDirection
----------                    --------------- --------------
moneycorp.local               WITHIN_FOREST   Bidirectional
us.dollarcorp.moneycorp.local WITHIN_FOREST   Bidirectional
eurocorp.local                FILTER_SIDS     Bidirectional

2 - Map the trusts of the dollarcorp.moneycorp.local domain

Using Get-DomainTrust command we're able to retrieve Trusts and relative direction for dollarcorp.moneycorp.local domain

Get-DomainTrust -Domain dollarcorp.moneycorp.local

SourceName      : dollarcorp.moneycorp.local
TargetName      : moneycorp.local
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection  : Bidirectional
WhenCreated     : 11/12/2022 5:59:01 AM
WhenChanged     : 4/19/2025 4:04:35 AM

SourceName      : dollarcorp.moneycorp.local
TargetName      : us.dollarcorp.moneycorp.local
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection  : Bidirectional
WhenCreated     : 11/12/2022 6:22:51 AM
WhenChanged     : 5/1/2025 5:09:26 AM

SourceName      : dollarcorp.moneycorp.local
TargetName      : eurocorp.local
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FILTER_SIDS
TrustDirection  : Bidirectional
WhenCreated     : 11/12/2022 8:15:23 AM
WhenChanged     : 5/1/2025 5:09:25 AM

3 - Map External trusts in moneycorp.local forest

Using Get-DomainTrust and the trust attribute "FILTER_SIDS" we can display all external trust relationship. Enabling FILTER_SIDS ensures that only the primary SID is considered during authorization, ignoring any SIDHistory.

As saw in the last tasks, the current forest is moneycorp.local, so it's not necessary to specify it.

Get-DomainTrust | ?{$_.TrustAttributes -eq "FILTER_SIDS"}

SourceName      : dollarcorp.moneycorp.local
TargetName      : eurocorp.local
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FILTER_SIDS
TrustDirection  : Bidirectional
WhenCreated     : 11/12/2022 8:15:23 AM
WhenChanged     : 5/1/2025 5:09:25 AM

4 - Identify external trusts of dollarcorp domain. Can you enumerate trusts for a trusting forest?

We just know these information regarding dollarcorp domain

Get-DomainTrust -Domain dollarcorp.moneycorp.local | select TargetName,TrustAttributes,TrustDirection

TargetName                    TrustAttributes TrustDirection
----------                    --------------- --------------
moneycorp.local               WITHIN_FOREST   Bidirectional
us.dollarcorp.moneycorp.local WITHIN_FOREST   Bidirectional
eurocorp.local                FILTER_SIDS     Bidirectional

and the relative external trust:

Get-DomainTrust -Domain dollarcorp.moneycorp.local | ? { $_.TrustAttributes -match "FILTER_SIDS" }

SourceName      : dollarcorp.moneycorp.local
TargetName      : eurocorp.local
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FILTER_SIDS
TrustDirection  : Bidirectional
WhenCreated     : 11/12/2022 8:15:23 AM
WhenChanged     : 5/1/2025 5:09:25 AM

To answer at the question: "Can you enumerate trusts for a trusting forest?" Remembering that the external forest is: eurocorp.local, we can enurate all domains of the forest checking the domain trust:

Get-ForestDomain -Forest eurocorp.local | %{Get-DomainTrust -Domain $_.Name}

SourceName      : eurocorp.local
TargetName      : eu.eurocorp.local
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection  : Bidirectional
WhenCreated     : 11/12/2022 5:49:08 AM
WhenChanged     : 5/1/2025 5:03:47 AM

SourceName      : eurocorp.local
TargetName      : dollarcorp.moneycorp.local
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FILTER_SIDS
TrustDirection  : Bidirectional
WhenCreated     : 11/12/2022 8:15:23 AM
WhenChanged     : 5/1/2025 5:09:25 AM

Exception calling "FindAll" with "0" argument(s): "A referral was returned from the
server.
"
At C:\AD\Tools\Powerview.ps1:23860 char:20
+             else { $Results = $Searcher.FindAll() }
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DirectoryServicesCOMException

There's an error message because we can't enumerate trusts of a domain for which we haven't visibility into.

In addition, if we try to check forest domain for eurocorp.local, we can't extract full informations

Get-ForestDomain -Forest eurocorp.local

Forest                  : eurocorp.local
DomainControllers       : {eurocorp-dc.eurocorp.local}
Children                : {eu.eurocorp.local}
DomainMode              : Unknown
DomainModeLevel         : 7
Parent                  :
PdcRoleOwner            : eurocorp-dc.eurocorp.local
RidRoleOwner            : eurocorp-dc.eurocorp.local
InfrastructureRoleOwner : eurocorp-dc.eurocorp.local
Name                    : eurocorp.local

Forest                  :
DomainControllers       :
Children                :
DomainMode              :
DomainModeLevel         :
Parent                  :
PdcRoleOwner            :
RidRoleOwner            :
InfrastructureRoleOwner :
Name                    : eu.eurocorp.local

Flag 4 [Student VM] - Trust Direction for the trust between dollarcorp.moneycorp.local and eurocorp.local 🚩

The trust direction between dollarcorp.moneycorp.local and eurocorp.local can be determined by inspecting the TrustDirection field using:

Get-DomainTrust -Domain dollarcorp.moneycorp.local | ? { $_.TargetName -eq "eurocorp.local" } | select TargetName,TrustAttributes,TrustDirection

Previous3 - LO 3️Next5 - LO 5️

Last updated 8 months ago

hashtagTasks

hashtagSolutions

hashtag1 - Enumerate all domains in the moneycorp.local forest

hashtag2 - Map the trusts of the dollarcorp.moneycorp.local domain

hashtag3 - Map External trusts in moneycorp.local forest

hashtag4 - Identify external trusts of dollarcorp domain. Can you enumerate trusts for a trusting forest?

hashtagFlag 4 [Student VM] - Trust Direction for the trust between dollarcorp.moneycorp.local and eurocorp.local 🚩

Tasks

Solutions

1 - Enumerate all domains in the moneycorp.local forest

2 - Map the trusts of the dollarcorp.moneycorp.local domain

3 - Map External trusts in moneycorp.local forest

4 - Identify external trusts of dollarcorp domain. Can you enumerate trusts for a trusting forest?

Flag 4 [Student VM] - Trust Direction for the trust between dollarcorp.moneycorp.local and eurocorp.local 🚩