Penetration Testing for Active Directory Forests: Exploring Trust Relationships

  • Carlos Garcia Carlos Garcia

Carlos García, Security Penetration Testing Lead in the Cyber Risk practice at Kroll, a division of Duff & Phelps, presented “Pentesting Active Directory Forests” last month at RootedCON 2019, one of the most important cybersecurity conferences in Spain. Carlos addressed the lack of knowledge about trust relationships between domains and forests and highlighted the often-unrecognized risks that different trust relationships present for organizations.

Active Directory (AD) is a critical software for most organizations. The backbone of the organization, it is the single centralized point that handles authentication and authorization control access to all critical resources within an organization. However, AD deployments must be constantly adapted, evolved and restructured as employee and business needs change. As a result, they become hard to maintain over time. This is particularly relevant for large organizations with complex infrastructures supporting complex business processes.

In the presentation, Carlos investigated how attackers take advantage of AD trust relationships to compromise the domains and forests involved, especially when the target is in a different domain.

He showed how to carry out an in-depth reconnaissance phase, how authentication protocols across domains and forests work and the attacks and techniques to leverage to move laterally and vertically across domains and forests – in short, a methodology to penetration test AD forests.

Key Takeaways
  • Domain trust boundaries are not security boundaries.
  • Trusts can introduce unintended access paths. There should be a business justification for each trust and they need to be constantly managed and reviewed.
  • Losing control of the Key Distribution Center Service Account responsible to grant Kerberos Authentication Ticket (KRBTGT) password hash of any domain could equate to losing control of the entire forest. You must reset KRBTGT twice in every domain in the forest.

Business Risk

Compromise of just one Domain Admin account in the AD forest exposes the entire organization to risk. The attacker would have unrestricted access to all resources managed by all domains, users, servers, workstations and data. Moreover, the attacker could instantly establish persistence in the AD environment, and this is difficult to notice and cannot be efficiently remediated with guarantees.
The video of the talk has not been published yet by RootedCON, however the slides are available for download on this page in PDF format.

Assessing Active Directory Security

Our Cyber Risk team observed that many companies face challenges around the security and integrity of their AD. We help assess the security maturity of your AD deployment and improve its resilience to meet the appropriate security level for your business in the threat environment you operate in.

Penetration Testing for Active Directory Forests: Exploring Trust Relationships 2019-05-02T00:00:00.0000000 /en/insights/publications/cyber/penetration-testing-active-directory-forests /-/media/kroll/images/publications/featured-images/2019/penetration-testing.ashx publication {78D3F940-BF08-40FB-A7F6-B55FB2D9165B} {A523C74C-C6B1-467E-BFD6-1B5848306387} {8DDC49CA-1D0A-451A-A649-F026824A6638}

Related Services

Cyber Risk

Cyber Risk

End-to-end cyber security services provided by unrivaled experts.

Cyber Risk
Cyber Risk

Penetration Testing Services

Assess clients' info security through simulated attacks using real-world hacker techniques.

Penetration Testing Services
Cyber Risk

Cyber Risk Assessments

Delivering actionable recommendations using the best technology and expertise available.

Cyber Risk Assessments

Insights