account$
(that's present on the trusted domain) password hash.first.local
and second.local
, where first.local
does not trust second.local
, but second.local
trusts first.local
. Or simply put in other words, it's possible to access resources from first.local
on second.local
, but not the other way around.second.local
on first.local
domain if second.local
domain is compromised and domain admin privileges are obtained. first.local
is a trusted domain trusted by the trusting domain second.local
, the trust account first.local\second$
(user account second$
in the domain first.local
) will be created. first.local\second$
is the trust account we want to and CAN compromise from the second.local domain
, assuming we have domain admin privileges there.second$
on first.local
domain:second.local
from first.local
:first.local
from the trusting domain :first.local\second$
if we have domain admin privileges on second.local
.first.local\second$
and reveal its password hash, we can use mimikatz like so:[out] first.local
-> second.local
line - this is the NTLM hash for first.local\second$
trust account, capture it.first.local\second$
, we can request its TGT from first.local
:second-dc.second.local
, we have a TGT for first.local\second$
committed to memory and we can now start enumerating resources on first.local
- and this concludes the technique, showing that it's possible to access resources on a trusted domain (as a low privileged user), given the trusting domain is compromised: