7

I am trying to identify specific attack vectors that occur due to domain/forest trust in Active Directory. Microsoft in their KB Articles Domain Trust, section "Considerations About Trusts" write that:

Domain administrators of any domain in the forest have the potential to take ownership and modify any information in the Configuration container of Active Directory. These changes will be available and replicate to all domain controllers in the forest.

But there is no specific description of how. In Security Considerations for Trusts, Microsoft list two more specific issues:

  • Disabled SID Filtering here and here ( I understand you can disable it on external trusts?); and
  • Enabled SID history.

Are there any other attacks that are specific to domain trusts? e.g. SMB Replay attack isn't specific to trust. Also, how does the writing to Configuration OU can be achieved and what can you write from the other domain?

Konrads
  • 589
  • 1
  • 5
  • 15
  • This is a very good question. It will probably get a lot more love on Security.SE. I've flagged this question for moderator review to see if they agree. – MDMarra Jul 06 '12 at 14:55
  • You can use LDAP, MAPI, SAM as well the replication. There are many LDAP tools, including some microsoft ones, as well you can login as domain administrator to DC1.DMN1, open the active directory users and groups, and connect to DC1.DMN2, and during this the MAPI call is used do it doesnt ask for the password, but I believe you could do this with LDAP server and your login/password too. Then you expand the tree of the directory and modify the objects. The changes are saved and replicated. For example, try changing ownership of objects. – Andrew Smith Jul 11 '12 at 12:24
  • Ideally with Platform SDK you can definitely make it, and there is good description on MSDN how to do it. – Andrew Smith Jul 11 '12 at 12:28
  • @AndrewSmith I don't think you can do that - domain admin privilege is non transitive unless explicitly added. – Konrads Jul 17 '12 at 19:55

1 Answers1

2

You can enumerate users

You can enumerate computers

You can query DNS for interesting information

If your domain is now in the search domain of the trusted domain you can use shortname replacements (autodiscovery) etc to try and trick client systems into accessing your resources insecurely and popping into social engineering environments.

This is generally a very bad idea if you're doing this with a third party. This is why you have Federation systems that use SAML (eg ADFS.)

Ori
  • 2,757
  • 1
  • 15
  • 29