# Enumerate Trust

* Let’s enumerate the trusts:

```
ldeep ldap -u Donald.Trump -p 'MaKeam3ricaGr3at' -d newyork.local -s ldap://192.168.56.10 trusts
ldeep ldap -u Donald.Trump -p 'MaKeam3ricaGr3at' -d newyork.local -s ldap://192.168.56.12 trusts
```

<figure><img src="https://755243087-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FB2Dm6vWGbM7kQRITOyVl%2Fuploads%2Fon02Su50M5k65XVYv1WQ%2Fimage.png?alt=media&#x26;token=ab725a31-84f0-4489-98e3-9602a342ec52" alt=""><figcaption></figcaption></figure>

* The newyork to maryland trust link is `FOREST_TRANSITIVE | TREAT_AS_EXTERNAL` due to Sid history enabled
* The Maryland to newyork trust link is just `FOREST_TRANSITIVE`
* The corresponding ldap query is : `(objectCategory=trustedDomain)`
* We can observe this with bloodhound too (button map domain trusts)

```
sudo /usr/bin/./neo4j console
```

```
sudo /opt/tools/BloodHound4.2-ly4k/BloodHound-linux-x64/BloodHound  --no-sandbox --disable-dev-shm-usage
```

<figure><img src="https://755243087-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FB2Dm6vWGbM7kQRITOyVl%2Fuploads%2FxUuoXKA31BzbnaOGKMZ6%2Fimage.png?alt=media&#x26;token=09615d08-29f0-45ac-b7dd-d14298d6a5ff" alt=""><figcaption></figcaption></figure>