DCSync

The concept of DCSync is that it impersonates a Domain Controller to request all the hashes of the users in the domain. Yes. This means as long as you have permissions, you do not need to run any commands on the Domain Controller the need to compromise the DC is not necessary as this one is usually quite difficult

For this to work, it is important to have proper permissions to pull hashes from a Domain Controller. Generally limited to the Domain Admins, Enterprise Admins, Domain Controller Groups, and anyone with the Replicating Changes permissions set to Allow (i.e. Replicating Changes All/Replicating Directory Changes), DCSync will allow your user to perform this attack with the use of mimikatz.

What's the risk?

Well if a user can impersonate a Domain Controller and request for all the domain user's passwords, that is enough risk.

Attack

We can enumerate a user with these permission with powerview by using the Get-ObjectACL CMDLET

Get-ObjectAcl -Identity "dc=dominioncyber,dc=local" -ResolveGUIDs | ? {$_.SecurityIdentifier -match "S-1-5-21-1827981533-2463545078-1305764163-1120"}

Above, when locating these 2 objects DCSync is allowed for the user. This is as simple as running DCSync <username> on Covenant and grabbing the hashes for the krbtgt user.

It also has a sample on what command is being executed when utilizing mimikatz

And we can do this for any user of our choosing in the entire Domain

Jwick

Understanding this technique and exploiting is valuable as this can provide persistence with the highest privileges on the Domain and can be also used to initiate other techniques such as Golden/Silver Tickets.

PreviousConstrained Delegation NextGolden Tickets

Last updated 2 years ago