Description

This pull request introduces the complete trust-enum module for domain trust enumeration and sensitive hash extraction in Active Directory environments. The module adds the following key features:

• Enumerates all domain trust relationships: Parent, child, external, and forest trusts, displaying their domain names, SIDs, direction, type, and attribute details.
• Extracts current domain SID and trusted domain SIDs: Includes advanced parsing to handle conversion from binary SID.
• Optionally extracts krbtgt and trust account hashes: Uses DCSync via Impacket's RemoteOperations and NTDSHashes, with fine-grained mapping of trust accounts for later use.
• Forges inter-realm Kerberos tickets: For domains with forest trusts and available hashes, simulates tickets with Domain Admins privileges to facilitate cross-domain attacks.
• Visualizes and summarizes trust relationships: Includes clear log outputs and SID mappings for investigation and reporting.

This change does not introduce breaking modifications to existing functionality; instead, it adds substantial new enumeration and attack support for LDAP protocol targeting domain controllers.

No new third-party dependencies are added beyond Impacket, which the project already relies on. The module includes extensive in-line documentation and error handling. For forging tickets, the Kerberos cryptographic and ASN.1 methods are based on Impacket's existing classes.

Type of change

Insert an "x" inside the brackets for relevant items (do not delete options)

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Deprecation of feature or functionality
• This change requires a documentation update
• This requires a third party update (such as Impacket, Dploot, lsassy, etc)

Setup guide for the review

• Environment:
  • Python 3.11 (recommended) on Linux or Windows.
  • Ensure impacket is installed and all NetExec dependencies are satisfied (poetry install).
• Prerequisites:
  • You need Domain Admin credentials, or another account capable of DCSync in the target domain.
  • Prepare one or more test Active Directory environments:
    • At least two domains with parent/child/external/forest relationships.
    • Configure trusts and ensure NTDS is accessible.
• Testing steps:
  • Run: netexec ldap <dc-ip> -u <username> -p <password> -M trust-enum to enumerate all trusts.
  • Optionally, run with -o NO_HASHES=True to skip hash extraction.
  • Run with default options to trigger DCSync and ticket forging.
  • For ticket forging, validate that .ccache files are generated and can be used with export KRB5CCNAME=... and relevant Kerberos tooling.
• Bug/feature reproduction:
  • For hash extraction, ensure AD ACLs allow replication permissions or use a full admin account.
  • For ticket forging, test with an environment containing at least one forest trust and observe generated tickets.

Screenshots (if appropriate):

Checklist:

Insert an "x" inside the brackets for completed and relevant items (do not delete options)

• I have ran Ruff against my changes (via poetry: poetry run python -m ruff check . --preview, use --fix to automatically fix what it can)
• I have added or updated the tests/e2e_commands.txt file if necessary (new modules or features are required to be added to the e2e tests)
• New and existing e2e tests pass locally with my changes
• If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)