March 15, 2026
One‑way? Wrong‑way!
Trust no one: are one-way trusts one way?
Admins gasp, red teamers grin: that “one‑way” door swings both ways
TLDR: A new tool shows you can pull a trust account from the “accepting” side of a Windows one‑way setup and use it to log in the other way. The crowd is split between “old trick, easier now” and “wake-up call,” but everyone agrees it lowers the bar for hopping across networks.
Security folks did a collective spit-take after Almond OffSec dropped tdo_dump.py, a tool showing that a Windows “one‑way trust” can be nudged into… not so one‑way. In plain English: two groups set up a gate that should only open in one direction. This tool lets you grab the key from the side that accepts visitors and use it to waltz back through the other side. Think “employees only” door, but someone left the staff badge under the mat.
The comments section? Pure fireworks. Offense-minded testers swaggered in with “old trick, new button,” while defenders rolled their eyes at the word “one‑way” like it was a bad label on a shampoo bottle. The core drama: is this a terrifying new break or just proof the marketing copy was always confusing? Blue team voices say the fix is boring but real—rotate that trust secret, tighten filtering, and actually watch for cross-domain logins. Others roasted defaults that make these special accounts too cozy, calling them a welcome mat for anyone doing “lateral movement” (hopping between systems).
Memes landed hard: a “ONE WAY” street sign with a giant U‑turn sticker, and the classic “You had one job.” One camp blames fuzzy docs, another insists trusts were never walls—just bridges. Either way, weekend change windows just got booked.
Key Points
- •The article focuses on one-way Active Directory trusts and questions their practical unidirectionality.
- •A trust creates an interdomain trust account (TDO) in the trusted forest with samaccounttype TRUST_ACCOUNT and specific useraccountcontrol flags.
- •The new tool tdo_dump.py can extract the TDO secret from the trusting domain.
- •Using the extracted TDO secret, authentication to the trusted domain is possible, enabling lateral movement across forests/domains.
- •The work builds on prior research into trusts, SID filtering, and trust transitivity, with references provided for deeper context.