☠️
Pentesting Articles and Notes
  • Welcome!
  • Windows
    • Active Directory
      • Kerberos Authentication
      • Enumeration
        • Basic Enumeration
        • Access Control Lists
        • Domain Trusts and Forests Enumeration
        • User Hunting
        • Domain Enumeration With BloodHound
      • Credential Dumping
        • DCSync Attack
      • Privilege Escalation
        • AS-REP Roasting
        • Kerberoasting
        • DNS Administrators
        • Setting Object SPN's
        • Unconstrained Delegation
        • Constrained Delegation
      • Persistence
        • Abusing ACLs
        • AdminSDHolder
        • Custom Security Service Providers (SSP's)
        • Directory Services Restore Mode (DSRM)
        • Modifying Remote Protocol Security Descriptors
        • Golden Tickets
        • Silver Tickets
        • Skeleton Keys
      • Powershell Remoting
      • Lateral Movement
        • Child to Parent Movement Across Trusts
        • Trust Abuse Between Forests
        • MSSQL Server Trust Abuse
        • Overpass the Hash
  • Coding
    • Pentesting With Python
      • Basic Threading
  • Network Attacks
    • Man-In-The-Middle Attacks
      • ARP Spoofing
      • DNS Spoofing Attacks
Powered by GitBook
On this page
  • Performing the Attack
  • With Impacket
  • From Windows
  1. Windows
  2. Active Directory
  3. Credential Dumping

DCSync Attack

PreviousCredential DumpingNextPrivilege Escalation

Last updated 2 years ago

This a common technique to extract hashes of single users, most common of which is the krbtgt account as preparation for creating .

This attack takes advantage of the AD desire to replicate as much as possible data between Domain Controllers in order to maintain data consistency throughout the entire network.

It occurs in several steps:

  1. The attacker through Mimikatz mimics the DC and requests replication via the Directory Replication Service Remote Protocol (MS-DRSR).

  2. Then he requests user replication using GetNCChanges.

  3. The DC returns the replication data with the hashes included.

A user with either Domain Admin privileges or select privileges over another object can use this attack to get hashes and increase his privileges within the AD by impersonating the behavior of the DC to request information from other DC's.

Performing the Attack

With Impacket

secretsdump.py <Domain>/<Username>@<ip> -just-dc-ntlm

From Windows

Invoke-Mimikatz -Command '"lsadump::dcsync /user:<domain>\krbtgt /domain:<domain>"'
Golden Tickets