Domain Trusts are authentication relationships between Active Directory domains/forests that allow users to access resources across domain boundaries. Understanding trust relationships is critical for penetration testers as they often provide unintended attack paths and "end-around" routes into target environments, especially in M&A scenarios where security may not have been properly considered during trust establishment.
| Trust Type | Description | Use Case |
|---|---|---|
| Parent-child | Two-way transitive trust within same forest | Child domain ↔ Parent domain authentication |
| Cross-link | Trust between child domains | Speed up authentication between siblings |
| External | Non-transitive trust between separate forests | Business partnerships, limited access |
| Tree-root | Two-way transitive between forest root and new tree | New tree root domain creation |
| Forest | Transitive trust between forest root domains | Complete forest-to-forest access |
| ESAE | Bastion forest for AD management | High-security administrative isolation |
- Transitive: Trust extends through relationships (A→B→C = A→C)
- Non-transitive: Direct trust only, no extension
- One-way: Trusted domain users access trusting domain resources
- Bidirectional: Mutual access between both domains
# Import Active Directory module
Import-Module activedirectory
# Enumerate all domain trusts
Get-ADTrust -Filter *# Basic trust enumeration
Get-DomainTrust
# Comprehensive trust mapping
Get-DomainTrustMapping
# Cross-domain user enumeration
Get-DomainUser -Domain CHILD.DOMAIN.LOCAL | select SamAccountName# Query domain trusts
netdom query /domain:inlanefreight.local trust
# Query domain controllers
netdom query /domain:inlanefreight.local dc
# Query workstations and servers
netdom query /domain:inlanefreight.local workstation- Pre-built query: "Map Domain Trusts"
- Visual representation: Trust relationships and directions
- Attack path analysis: Trust-based privilege escalation routes
# RDP connection to target
xfreerdp /v:10.129.149.107 /u:htb-student /p:Academy_student_AD!
# PowerShell preparation
cd C:\Tools\
Import-Module .\PowerView.ps1Solution:
# Enumerate domain trust relationships
Get-DomainTrustMapping
# Lab output analysis:
SourceName : INLANEFREIGHT.LOCAL
TargetName : LOGISTICS.INLANEFREIGHT.LOCAL
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST # ← Child domain indicator
TrustDirection : Bidirectional
WhenCreated : 11/1/2021 6:20:22 PM
WhenChanged : 3/29/2022 5:14:31 PM
SourceName : INLANEFREIGHT.LOCAL
TargetName : FREIGHTLOGISTICS.LOCAL
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FOREST_TRANSITIVE # ← Forest trust indicator
TrustDirection : Bidirectional
WhenCreated : 11/1/2021 8:07:09 PM
WhenChanged : 3/29/2022 4:48:04 PM🎯 Answer: LOGISTICS.INLANEFREIGHT.LOCAL
Analysis: Look for TrustAttributes : WITHIN_FOREST to identify child domains.
Solution:
# Same Get-DomainTrustMapping output analysis
# Look for TrustAttributes : FOREST_TRANSITIVE🎯 Answer: FREIGHTLOGISTICS.LOCAL
Analysis: Look for TrustAttributes : FOREST_TRANSITIVE to identify forest trusts.
Solution:
# From same Get-DomainTrustMapping output
# Check TrustDirection field for FREIGHTLOGISTICS.LOCAL trust🎯 Answer: Bidirectional
Analysis: TrustDirection : Bidirectional indicates mutual access between forests.
- Cross-domain privilege escalation: Compromise child → attack parent
- Forest-to-forest attacks: External trust exploitation
- Kerberoasting across trusts: Service accounts in trusted domains
- "End-around" attacks: Target softer trusted domains for indirect access
- Scope verification: Ensure trusted domains are within Rules of Engagement
- Trust purpose analysis: Legitimate business need vs security risk
- Bidirectional risk: Mutual access increases attack surface
- M&A trust reviews: Recently acquired companies may have weaker security posture
PowerView Trust Mapping → Trust Type Analysis → Cross-Domain Enumeration → Attack Path Planning
(Get-DomainTrustMapping) (WITHIN_FOREST vs (Get-DomainUser) (Privilege Escalation)
FOREST_TRANSITIVE)
- WITHIN_FOREST: Child domain relationship (high attack value)
- FOREST_TRANSITIVE: External forest trust (lateral movement opportunity)
- Bidirectional: Mutual access (increased attack surface)
- Reconnaissance foundation: Trust discovery enables advanced attack planning
- Risk assessment: Understanding trust implications for organizational security
- Attack path identification: Trust relationships often provide privilege escalation routes
🔗 Domain trust enumeration provides critical infrastructure mapping for advanced Active Directory attacks - essential foundation for trust-based privilege escalation and cross-domain exploitation!