DCSync is a well-known technique allowing an attacker to extract password hash from the domain controller by simulating the behaviour of domain replication.Impersonating as an Domain Controller
Usually, only domain controllers, domain administrators, and enterprise administrators have the privileges required to perform DCSync.
⇒ So for an user to perform DCSync Attack he needs the following permissions
The “DS-Replication-Get-Changes” extended right
- CN: DS-Replication-Get-Changes
- GUID: 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
The “Replicating Directory Changes All” extended right
- CN: DS-Replication-Get-Changes-All
- GUID: 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
The “Replicating Directory Changes In Filtered Set” extended right (this one isn’t always needed but we can add it just in case)
- CN: DS-Replication-Get-Changes-In-Filtered-Set
- GUID: 89e95b76-444d-4c62-991a-0facbeda640c
- Open Active Directory Users and Computers > View > Click on Advance Features (reopen the application)
- Right click on our Domain object
crt.local> Click onProperties
- Go on Security Tab > click on Add
- Enter one of our domain user name i have use
tony stark user accountand click on ok
Select our user account which we have added , scroll down untill you see this three
permissionsandAllow this permissionsClick on
OkandApply
So our lab is now ready to perform the DcSynck Attack