Trusts Enum
1. 枚举域信任
我们可以使用多种工具来枚举域和林的信任关系。我们将介绍使用内置 cmdlet 以及开源工具的示例。
1.1. Get-ADTrust cmdlet
如果我们登陆到一台安装了 ActiveDirectory PowerShell 模块的机器上,可以使用 Get-ADTrust cmdlet 来枚举所有可能的信任关系。
PS C:\htb> Import-Module activedirectory
PS C:\htb> Get-ADTrust -Filter *
Direction : BiDirectional #双向信任DisallowTransivity : False
DistinguishedName : CN=logistics.ad,CN=System,DC=inlanefreight,DC=adForestTransitive : True
IntraForest : False #属于不同的林IsTreeParent : False
IsTreeRoot : False
Name : logistics.ad
ObjectClass : trustedDomain
ObjectGUID : 8d52f9da-361b-4dc3-8fa7-af5f282fa741
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source : DC=inlanefreight,DC=ad
Target : logistics.ad
TGTDelegation : False
TrustAttributes : 8 #跨林信任TrustedPolicy :
TrustingPolicy :
TrustType : Uplevel
UplevelOnly : False
UsesAESKeys : False
UsesRC4Encryption : False
Direction : BiDirectional #双向信任DisallowTransivity : False
DistinguishedName : CN=child.inlanefreight.ad,CN=System,DC=inlanefreight,DC=ad
ForestTransitive : False
IntraForest : True
IsTreeParent : False
IsTreeRoot : False
Name : child.inlanefreight.adObjectClass : trustedDomainObjectGUID : 44591edf-66d2-4d8c-8125-facb7fb3c643
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source : DC=inlanefreight,DC=ad
Target : child.inlanefreight.ad
TGTDelegation : False
TrustAttributes : 32 #林内信任TrustedPolicy :
TrustingPolicy :
TrustType : UplevelUplevelOnly : False
UsesAESKeys : False
UsesRC4Encryption : False
INLANEFREIGHT.AD域的当前所在位置与LOGISTICS.AD域存在信任关系
1.2. Powerview 枚举域信任
1.2.1. Get-DomainTrust
PS C:\htb> Get-DomainTrust
SourceName : inlanefreight.ad
TargetName : logistics.ad
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FOREST_TRANSITIVE
TrustDirection : Bidirectional
WhenCreated : 12/26/2023 4:13:40 PM
WhenChanged : 3/12/2024 4:54:19 AM
SourceName : inlanefreight.ad
TargetName : child.inlanefreight.ad
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection : Bidirectional
WhenCreated : 3/13/2024 12:46:48 PM
WhenChanged : 3/13/2024 12:46:48 PM
可以发现:
- 父域:
inlanefreight.ad - 与
logistics.ad域存在跨林信任关系 - 与
child.inlanefreight.ad存在林内信任关系
1.2.2. Get-DomainTrustMapping
Get-DomainTrustMapping 也非常有用
此函数会先执行 Get-DomainTrust 函数相同枚举,然后尝试枚举所发现的每个域的所有信任关系
PS C:\htb> Get-DomainTrustMapping
SourceName : inlanefreight.ad
TargetName : logistics.ad
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FOREST_TRANSITIVE
TrustDirection : Bidirectional
WhenCreated : 12/26/2023 4:13:40 PM
WhenChanged : 3/12/2024 4:54:19 AM
SourceName : inlanefreight.ad
TargetName : child.inlanefreight.ad
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection : Bidirectional
WhenCreated : 3/13/2024 12:46:48 PM
WhenChanged : 3/13/2024 12:46:48 PM
SourceName : child.inlanefreight.ad
TargetName : inlanefreight.ad
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection : Bidirectional
WhenCreated : 3/13/2024 12:46:48 PM
WhenChanged : 3/13/2024 12:46:48 PM
SourceName : logistics.ad
TargetName : inlanefreight.ad
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : TREAT_AS_EXTERNAL,FOREST_TRANSITIVE
TrustDirection : Bidirectional
WhenCreated : 12/26/2023 4:13:40 PM
WhenChanged : 3/13/2024 1:02:44 PM
SourceName : logistics.ad
TargetName : MEGACORP.AD
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FOREST_TRANSITIVE
TrustDirection : Outbound
WhenCreated : 3/9/2024 11:08:15 AM
WhenChanged : 3/15/2024 8:39:41 AM
通过枚举可以发现:
- 源域名: logistics.ad
- 目标域名: MEGACORP.AD
- 信任方向: Outbound (出站),即
MEGACORP.AD的用户可以访问logistics.ad(A域用户信任B域用户)
1.3. Bloodhound枚举域信任
bloodhound可以可视化枚举域信任,能很直观的观察域信任关系,以及寻找利用路径
以上图为例:如果我们的起点在 CHILD.INLANEFREIGHT.AD 域,我们就有可能通过信任攻击来攻破 INLANEFREIGHT.AD 和 LOGISTICS.AD 域。如果我们从 INLANEFREIGHT.AD 开始,我们将能够攻破 CHILD 域以及 LOGISTICS.AD 域。
2. Adalanche
我们还可以用Adalanche来进行枚举
它与Bloodhound差不多,但是启动速度会更快,使用的是单个二进制文件。但这里就不再细讲了