Trust no one: are one-way trusts one way?
5 days ago
- #Windows
- #Active Directory
- #Security
- One-way trusts in Windows domains allow users from the trusted domain to access resources in the trusting domain, but not vice versa.
- A domain account is automatically created on the trusted forest during trust creation, with specific attributes like TRUST_ACCOUNT and INTERDOMAIN_TRUST_ACCOUNT.
- The password for this trust account is stored in cleartext within a trusted domain object (TDO) on the trusting domain.
- Attackers with Domain Admins privileges on the trusting domain can extract the trust account's password and use it to authenticate on the trusted domain.
- A new tool, tdo_dump.py, is introduced to dump TDOs and extract trust account credentials remotely.
- Compromising the trusting domain provides authenticated access to the trusted domain, breaking the expected unidirectional security boundary.
- The extracted credentials can be used for various AD attacks, including LDAP recon, AD CS exploitation, computer account creation, and Kerberoasting.