Deployed daf6fe9 with MkDocs version: 1.6.1

amandaguglieri · Jan 1, 2025 · 97a14d4 · 97a14d4
1 parent 684b300
commit 97a14d4
Show file tree

Hide file tree

Showing 20 changed files with 19,425 additions and 759 deletions.
diff --git a/389-636-ldap/index.html b/389-636-ldap/index.html
@@ -17276,7 +17276,7 @@ <h1 id="389-636-ldap">389 -  636 LDAP</h1>
 <li>It's a binary protocol and by default not encrypted.</li>
 <li>Has been updated to include encryptions addons, as Transport Layer Security (TLS)/SSL and can be tunnelled through SSH</li>
 </ul>
-<p>The hierarchy (tree) of information stored via LDAP is known as the Directory Information Tree (DIT). That structure is defined in a schema.</p>
+<p>The hierarchy (tree) of information stored via LDAP is known as the <strong>Directory Information Tree (DIT).</strong> That structure is defined in a schema.</p>
 <p>A common use of LDAP is to provide a central place to store usernames and passwords. This allows many different applications and services to connect to the LDAP server to validate users.</p>
 <p>The latest LDAP specification is Version 3, which is published as <a href="https://tools.ietf.org/html/rfc4511">RFC 4511</a>. <strong>AD</strong> stores user account information and security information such as passwords and facilitates sharing this information with other devices on the network. <strong>LDAP</strong> is the language that applications use to communicate with other servers that also provide directory services. In other words, LDAP is a way that systems in the network environment can "speak" to AD.</p>
 <h2 id="ad-ldap-authentication">AD LDAP Authentication</h2>
@@ -17725,7 +17725,7 @@ <h3 id="example">Example</h3>
 
 <!-- This section adds support for localized revision dates -->
 
-    <small>Last update: <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-timeago"><span class="timeago" datetime="2024-12-27T22:00:41+00:00" locale="en"></span></span><span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-iso_date">2024-12-27</span></small></br>
+    <small>Last update: <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-timeago"><span class="timeago" datetime="2025-01-01T20:37:04+00:00" locale="en"></span></span><span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-iso_date">2025-01-01</span></small></br>
 
 
     <small>Created: April 23, 2024 19:54:12</small>

diff --git a/active-directory-from-linux-enumeration/index.html b/active-directory-from-linux-enumeration/index.html
diff --git a/active-directory-from-linux-privilege-escalation/index.html b/active-directory-from-linux-privilege-escalation/index.html
diff --git a/active-directory-from-windows-attacks/index.html b/active-directory-from-windows-attacks/index.html
@@ -16432,7 +16432,7 @@
         <li class="md-nav__item">
   <a href="#dcshadow" class="md-nav__link">
     <span class="md-ellipsis">
-      ⛓️DCShadow
+      ⛓️ DCShadow
     </span>
   </a>
 
@@ -17369,7 +17369,7 @@
         <li class="md-nav__item">
   <a href="#dcshadow" class="md-nav__link">
     <span class="md-ellipsis">
-      ⛓️DCShadow
+      ⛓️ DCShadow
     </span>
   </a>
 
@@ -17725,7 +17725,7 @@ <h4 id="c-inveigh-inveighzero">C# Inveigh (InveighZero)</h4>
 </span></code></pre></div></td></tr></table></div>
 <h2 id="zerologon">❌ Zerologon</h2>
 <p><a href="https://www.crowdstrike.com/en-us/blog/cve-2020-1472-zerologon-security-advisory/">See https://www.crowdstrike.com/en-us/blog/cve-2020-1472-zerologon-security-advisory/.</a></p>
-<h2 id="dcshadow">⛓️DCShadow</h2>
+<h2 id="dcshadow">⛓️ DCShadow</h2>
 <p><a href="https://blog.netwrix.com/2022/09/28/dcshadow_attack/">See https://blog.netwrix.com/2022/09/28/dcshadow_attack/</a></p>
 <h2 id="petitpotam-ms-efsrpc">🍟 PetitPotam (MS-EFSRPC)</h2>
 <p>! tips ""
@@ -17916,7 +17916,7 @@ <h3 id="powerview">Powerview</h3>
 
 <!-- This section adds support for localized revision dates -->
 
-    <small>Last update: <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-timeago"><span class="timeago" datetime="2024-12-29T19:35:32+00:00" locale="en"></span></span><span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-iso_date">2024-12-29</span></small></br>
+    <small>Last update: <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-timeago"><span class="timeago" datetime="2025-01-01T20:37:04+00:00" locale="en"></span></span><span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-iso_date">2025-01-01</span></small></br>
 
 
     <small>Created: December 27, 2024 22:00:41</small>

diff --git a/active-directory-from-windows-enumeration/index.html b/active-directory-from-windows-enumeration/index.html
@@ -16655,6 +16655,84 @@
       </ul>
     </nav>
 
+</li>
+
+        <li class="md-nav__item">
+  <a href="#9-trust-relationships" class="md-nav__link">
+    <span class="md-ellipsis">
+      9. Trust Relationships
+    </span>
+  </a>
+
+    <nav class="md-nav" aria-label="9. Trust Relationships">
+      <ul class="md-nav__list">
+
+          <li class="md-nav__item">
+  <a href="#introduction-to-domain-trust-overview" class="md-nav__link">
+    <span class="md-ellipsis">
+      Introduction to Domain Trust Overview
+    </span>
+  </a>
+
+</li>
+
+          <li class="md-nav__item">
+  <a href="#windows-binary-nltest" class="md-nav__link">
+    <span class="md-ellipsis">
+      Windows binary: nltest
+    </span>
+  </a>
+
+</li>
+
+          <li class="md-nav__item">
+  <a href="#powershell_4" class="md-nav__link">
+    <span class="md-ellipsis">
+      Powershell
+    </span>
+  </a>
+
+</li>
+
+          <li class="md-nav__item">
+  <a href="#active-directory-module-get-adtrust" class="md-nav__link">
+    <span class="md-ellipsis">
+      Active Directory module: Get-ADTrust
+    </span>
+  </a>
+
+</li>
+
+          <li class="md-nav__item">
+  <a href="#powerviewps1-module-get-domaintrust" class="md-nav__link">
+    <span class="md-ellipsis">
+      PowerView.ps1 module: Get-DomainTrust
+    </span>
+  </a>
+
+</li>
+
+          <li class="md-nav__item">
+  <a href="#netdom" class="md-nav__link">
+    <span class="md-ellipsis">
+      netdom
+    </span>
+  </a>
+
+</li>
+
+          <li class="md-nav__item">
+  <a href="#visualizing-trust-relationships-in-bloodhound" class="md-nav__link">
+    <span class="md-ellipsis">
+      Visualizing Trust Relationships in BloodHound
+    </span>
+  </a>
+
+</li>
+
+      </ul>
+    </nav>
+
 </li>
 
     </ul>
@@ -17733,6 +17811,84 @@
       </ul>
     </nav>
 
+</li>
+
+        <li class="md-nav__item">
+  <a href="#9-trust-relationships" class="md-nav__link">
+    <span class="md-ellipsis">
+      9. Trust Relationships
+    </span>
+  </a>
+
+    <nav class="md-nav" aria-label="9. Trust Relationships">
+      <ul class="md-nav__list">
+
+          <li class="md-nav__item">
+  <a href="#introduction-to-domain-trust-overview" class="md-nav__link">
+    <span class="md-ellipsis">
+      Introduction to Domain Trust Overview
+    </span>
+  </a>
+
+</li>
+
+          <li class="md-nav__item">
+  <a href="#windows-binary-nltest" class="md-nav__link">
+    <span class="md-ellipsis">
+      Windows binary: nltest
+    </span>
+  </a>
+
+</li>
+
+          <li class="md-nav__item">
+  <a href="#powershell_4" class="md-nav__link">
+    <span class="md-ellipsis">
+      Powershell
+    </span>
+  </a>
+
+</li>
+
+          <li class="md-nav__item">
+  <a href="#active-directory-module-get-adtrust" class="md-nav__link">
+    <span class="md-ellipsis">
+      Active Directory module: Get-ADTrust
+    </span>
+  </a>
+
+</li>
+
+          <li class="md-nav__item">
+  <a href="#powerviewps1-module-get-domaintrust" class="md-nav__link">
+    <span class="md-ellipsis">
+      PowerView.ps1 module: Get-DomainTrust
+    </span>
+  </a>
+
+</li>
+
+          <li class="md-nav__item">
+  <a href="#netdom" class="md-nav__link">
+    <span class="md-ellipsis">
+      netdom
+    </span>
+  </a>
+
+</li>
+
+          <li class="md-nav__item">
+  <a href="#visualizing-trust-relationships-in-bloodhound" class="md-nav__link">
+    <span class="md-ellipsis">
+      Visualizing Trust Relationships in BloodHound
+    </span>
+  </a>
+
+</li>
+
+      </ul>
+    </nav>
+
 </li>
 
     </ul>
@@ -19184,10 +19340,110 @@ <h3 id="powerview_2">Powerview</h3>
 </span><span id="__span-53-4"><a id="__codelineno-53-4" name="__codelineno-53-4"></a><span class="c"># In this case we  can see that the `Domain Users` group has several rights over the `Disconnect Idle RDP` GPO. </span>
 </span></code></pre></div></td></tr></table></div>
 <p><a href="../active-directory-from-windows-attacks/#group-policy-object-abuse">See how to take this attack further</a>.</p>
+<h2 id="9-trust-relationships">9. Trust Relationships</h2>
+<h3 id="introduction-to-domain-trust-overview">Introduction to Domain Trust Overview</h3>
+<p>A trust creates a link between the authentication systems of two domains and may allow either one-way or two-way (bidirectional) communication. </p>
+<p>Types of trusts:</p>
+<ul>
+<li><code>Parent-child</code>: Two or more domains within the same forest. The child domain has a two-way transitive trust with the parent domain, meaning that users in the child domain <code>corp.inlanefreight.local</code> could authenticate into the parent domain <code>inlanefreight.local</code>, and vice-versa.</li>
+<li><code>Cross-link</code>: A trust between child domains to speed up authentication.</li>
+<li><code>External</code>: A non-transitive trust between two separate domains in separate forests which are not already joined by a forest trust. This type of trust utilizes <a href="https://www.serverbrain.org/active-directory-2008/sid-history-and-sid-filtering.html">SID filtering</a> or filters out authentication requests (by SID) not from the trusted domain.</li>
+<li><code>Tree-root</code>: A two-way transitive trust between a forest root domain and a new tree root domain. They are created by design when you set up a new tree root domain within a forest.</li>
+<li><code>Forest</code>: A transitive trust between two forest root domains.</li>
+<li><a href="https://docs.microsoft.com/en-us/security/compass/esae-retirement">ESAE</a>: A bastion forest used to manage Active Directory.</li>
+</ul>
+<p>Trusts can be transitive or non-transitive:</p>
+<ul>
+<li>A <code>transitive</code> trust means that trust is extended to objects that the child domain trusts:<ul>
+<li>Shared, 1 to many.</li>
+<li>The trust is shared with anyone in the forest. </li>
+<li>Forest, tree-root, parent-child, and cross-link trusts are transitive.</li>
+</ul>
+</li>
+<li>In a non-transitive trust, the child domain itself is the only one trusted:<ul>
+<li>Direct trust.</li>
+<li>Not extended to the next level child domains.</li>
+<li>Typical for external or custom trust setup.</li>
+</ul>
+</li>
+</ul>
+<p>Trusts can be set up in two directions: one-way or two-way (bidirectional):</p>
+<ul>
+<li>
+<ul>
+<li><code>One-way trust</code>: Users in a <code>trusted</code> domain can access resources in a trusting domain, not vice-versa.</li>
+</ul>
+</li>
+<li><code>Bidirectional trust</code>: Users from both trusting domains can access resources in the other domain. </li>
+</ul>
+<h3 id="windows-binary-nltest">Windows binary: nltest</h3>
+<p>Similar, but very simplified information could be gleaned from a native Windows binary:</p>
+<div class="language-powershell highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span><span class="normal"><a href="#__codelineno-54-1">1</a></span></pre></div></td><td class="code"><div><pre><span></span><code><span id="__span-54-1"><a id="__codelineno-54-1" name="__codelineno-54-1"></a><span class="n">nltest</span> <span class="p">/</span><span class="n">domain_trusts</span>
+</span></code></pre></div></td></tr></table></div>
+<h3 id="powershell_4">Powershell</h3>
+<p>Powershell way of checking trust relationships:</p>
+<div class="language-powershell highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span><span class="normal"><a href="#__codelineno-55-1">1</a></span></pre></div></td><td class="code"><div><pre><span></span><code><span id="__span-55-1"><a id="__codelineno-55-1" name="__codelineno-55-1"></a><span class="p">(</span><span class="no">[System.DirectoryServices.ActiveDirectory.Domain]</span><span class="p">::</span><span class="n">GetCurrentDomain</span><span class="p">()).</span><span class="n">GetAllTrustRelationships</span><span class="p">()</span>
+</span></code></pre></div></td></tr></table></div>
+<h3 id="active-directory-module-get-adtrust">Active Directory module: Get-ADTrust</h3>
+<p><a href="../activedirectory-powershell-module/">See complete Active directory powershell module</a>.</p>
+<div class="language-powershell highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span><span class="normal"><a href="#__codelineno-56-1">1</a></span>
+<span class="normal"><a href="#__codelineno-56-2">2</a></span></pre></div></td><td class="code"><div><pre><span></span><code><span id="__span-56-1"><a id="__codelineno-56-1" name="__codelineno-56-1"></a><span class="nb">Import-Module</span> <span class="n">activedirectory</span>
+</span><span id="__span-56-2"><a id="__codelineno-56-2" name="__codelineno-56-2"></a><span class="nb">Get-ADTrust</span> <span class="n">-Filter</span> <span class="p">*</span>
+</span></code></pre></div></td></tr></table></div>
+<p>Pay attention to properties such as Direction, ForestTransitive and some others. </p>
+<p>From here we could enumerate users in the child domain:</p>
+<div class="language-powershell highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span><span class="normal"><a href="#__codelineno-57-1">1</a></span>
+<span class="normal"><a href="#__codelineno-57-2">2</a></span>
+<span class="normal"><a href="#__codelineno-57-3">3</a></span></pre></div></td><td class="code"><div><pre><span></span><code><span id="__span-57-1"><a id="__codelineno-57-1" name="__codelineno-57-1"></a><span class="nb">Get-DomainUser</span> <span class="n">-Domain</span> <span class="nv">$domain</span> <span class="p">|</span> <span class="nb">select </span><span class="n">SamAccountName</span>
+</span><span id="__span-57-2"><a id="__codelineno-57-2" name="__codelineno-57-2"></a><span class="c"># Example:</span>
+</span><span id="__span-57-3"><a id="__codelineno-57-3" name="__codelineno-57-3"></a><span class="c"># Get-DomainUser -Domain LOGISTICS.INLANEFREIGHT.LOCAL | select SamAccountName</span>
+</span></code></pre></div></td></tr></table></div>
+<h3 id="powerviewps1-module-get-domaintrust">PowerView.ps1 module: Get-DomainTrust</h3>
+<p>PowerView can be used to perform a domain trust mapping and provide information such as the type of trust (parent/child, external, forest) and the direction of the trust (one-way or bidirectional).</p>
+<div class="language-powershell highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span><span class="normal"><a href="#__codelineno-58-1">1</a></span>
+<span class="normal"><a href="#__codelineno-58-2">2</a></span></pre></div></td><td class="code"><div><pre><span></span><code><span id="__span-58-1"><a id="__codelineno-58-1" name="__codelineno-58-1"></a><span class="nb">Import-Module</span> <span class="p">.\</span><span class="n">PowerView</span><span class="p">.</span><span class="n">ps1</span>
+</span><span id="__span-58-2"><a id="__codelineno-58-2" name="__codelineno-58-2"></a><span class="nb">Get-DomainTrust</span>
+</span></code></pre></div></td></tr></table></div>
+<p>Also we could do some mapping:</p>
+<div class="language-powershell highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span><span class="normal"><a href="#__codelineno-59-1">1</a></span></pre></div></td><td class="code"><div><pre><span></span><code><span id="__span-59-1"><a id="__codelineno-59-1" name="__codelineno-59-1"></a><span class="nb">Get-DomainTrustMapping</span>
+</span></code></pre></div></td></tr></table></div>
+<h3 id="netdom">netdom</h3>
+<p>The <code>netdom query</code> sub-command of the <code>netdom</code> command-line tool in Windows can retrieve information about the domain, including a list of workstations, servers, and domain trusts.</p>
+<div class="language-text highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span><span class="normal"><a href="#__codelineno-60-1"> 1</a></span>
+<span class="normal"><a href="#__codelineno-60-2"> 2</a></span>
+<span class="normal"><a href="#__codelineno-60-3"> 3</a></span>
+<span class="normal"><a href="#__codelineno-60-4"> 4</a></span>
+<span class="normal"><a href="#__codelineno-60-5"> 5</a></span>
+<span class="normal"><a href="#__codelineno-60-6"> 6</a></span>
+<span class="normal"><a href="#__codelineno-60-7"> 7</a></span>
+<span class="normal"><a href="#__codelineno-60-8"> 8</a></span>
+<span class="normal"><a href="#__codelineno-60-9"> 9</a></span>
+<span class="normal"><a href="#__codelineno-60-10">10</a></span>
+<span class="normal"><a href="#__codelineno-60-11">11</a></span>
+<span class="normal"><a href="#__codelineno-60-12">12</a></span>
+<span class="normal"><a href="#__codelineno-60-13">13</a></span>
+<span class="normal"><a href="#__codelineno-60-14">14</a></span></pre></div></td><td class="code"><div><pre><span></span><code><span id="__span-60-1"><a id="__codelineno-60-1" name="__codelineno-60-1"></a># List trusts:
+</span><span id="__span-60-2"><a id="__codelineno-60-2" name="__codelineno-60-2"></a>netdom query /domain:$domain trust
+</span><span id="__span-60-3"><a id="__codelineno-60-3" name="__codelineno-60-3"></a># Example:
+</span><span id="__span-60-4"><a id="__codelineno-60-4" name="__codelineno-60-4"></a># netdom query /domain:inlanefreight.local trust
+</span><span id="__span-60-5"><a id="__codelineno-60-5" name="__codelineno-60-5"></a>
+</span><span id="__span-60-6"><a id="__codelineno-60-6" name="__codelineno-60-6"></a># Enumerate Domain Controllers with accounts in the domain
+</span><span id="__span-60-7"><a id="__codelineno-60-7" name="__codelineno-60-7"></a>netdom query /domain:$domain dc
+</span><span id="__span-60-8"><a id="__codelineno-60-8" name="__codelineno-60-8"></a># Example: 
+</span><span id="__span-60-9"><a id="__codelineno-60-9" name="__codelineno-60-9"></a># netdom query /domain:inlanefreight.local dc
+</span><span id="__span-60-10"><a id="__codelineno-60-10" name="__codelineno-60-10"></a>
+</span><span id="__span-60-11"><a id="__codelineno-60-11" name="__codelineno-60-11"></a>#  query workstations and servers
+</span><span id="__span-60-12"><a id="__codelineno-60-12" name="__codelineno-60-12"></a>netdom query /domain:$domain workstation
+</span><span id="__span-60-13"><a id="__codelineno-60-13" name="__codelineno-60-13"></a># Example:
+</span><span id="__span-60-14"><a id="__codelineno-60-14" name="__codelineno-60-14"></a># netdom query /domain:inlanefreight.local workstation
+</span></code></pre></div></td></tr></table></div>
+<h3 id="visualizing-trust-relationships-in-bloodhound">Visualizing Trust Relationships in BloodHound</h3>
+<p><a href="../bloodhound/">See more about bloodhound</a>.</p>
+<p><img alt="" src="../img/blood02.png" /></p>
 
 <!-- This section adds support for localized revision dates -->
 
-    <small>Last update: <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-timeago"><span class="timeago" datetime="2024-12-29T19:35:32+00:00" locale="en"></span></span><span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-iso_date">2024-12-29</span></small></br>
+    <small>Last update: <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-timeago"><span class="timeago" datetime="2025-01-01T20:37:04+00:00" locale="en"></span></span><span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-iso_date">2025-01-01</span></small></br>
 
 
     <small>Created: December 27, 2024 22:00:41</small>