Enumerate Trust

• Let’s enumerate the trusts:

ldeep ldap -u Donald.Trump -p 'MaKeam3ricaGr3at' -d newyork.local -s ldap://192.168.56.10 trusts
ldeep ldap -u Donald.Trump -p 'MaKeam3ricaGr3at' -d newyork.local -s ldap://192.168.56.12 trusts

• The newyork to maryland trust link is FOREST_TRANSITIVE | TREAT_AS_EXTERNAL due to Sid history enabled

• The Maryland to newyork trust link is just FOREST_TRANSITIVE

• The corresponding ldap query is : (objectCategory=trustedDomain)

• We can observe this with bloodhound too (button map domain trusts)

sudo /usr/bin/./neo4j console

sudo /opt/tools/BloodHound4.2-ly4k/BloodHound-linux-x64/BloodHound  --no-sandbox --disable-dev-shm-usage