DCSync Attack

This a common technique to extract hashes of single users, most common of which is the krbtgt account as preparation for creating Golden Tickets.

This attack takes advantage of the AD desire to replicate as much as possible data between Domain Controllers in order to maintain data consistency throughout the entire network.

It occurs in several steps:

  1. The attacker through Mimikatz mimics the DC and requests replication via the Directory Replication Service Remote Protocol (MS-DRSR).

  2. Then he requests user replication using GetNCChanges.

  3. The DC returns the replication data with the hashes included.

A user with either Domain Admin privileges or select privileges over another object can use this attack to get hashes and increase his privileges within the AD by impersonating the behavior of the DC to request information from other DC's.

Performing the Attack

With Impacket

secretsdump.py <Domain>/<Username>@<ip> -just-dc-ntlm

From Windows

Invoke-Mimikatz -Command '"lsadump::dcsync /user:<domain>\krbtgt /domain:<domain>"'
PreviousCredential DumpingNextPrivilege Escalation

Last updated