8.7.2 - DCSync Attack
Last updated
Last updated
DCSynk Attack is a tecnique used in post-exploitation scenarios in order to extract sensitive data from an AD domain by abusing the AD replication feature, which guide how DC synchronize data between themselves.
The DCSync attack trucks a DC into thinking the attacker is another legitimate DC that needs replication data.
The replication data extract with this attack includes:
NTLM password hashes (including krbtgt)
Kerberos key
Password hystory
So, DCSync can be combined with other attacks, such as the Golden Ticket attack, to establish persistance into a domain
Go into Domain Controller account:
Open Active Directory Users and Computers
Click on DC: dev-angelist.lab -> Properties -> Security -> Add (devan), Check Names, Ok
Select devan user and mark as allow these three permissions:
Replicating Directory Changes
Replicating Directory Changes All
Replicating Directory Changes In Filtered Set
and confirm.
In alternative is possible to set them using AD module command:
We can check if all go right using BloodHound:
If there're "AllExtendedRights" and "GenericAll" permissions we can perform DCSync Attack.
In alternative, we can use PowerView (if we've access to Devan machine):
or we can check it on attacker machine (linux / kali) using Secretsdump module of Impacket:
Mimikatz
Let's assume we've a low privileged access to a workstation joined into the domain, in my case i log into: dev-angelist\devan
's account.
Download and extract Mimikatz:
and run it to leak the NTLM hash of krbtgt user:
Using Safetykatz
we can common upload it ang log-in using neo4j or using tool: