DCSync
Last updated
Last updated
Adversaries may attempt to access credentials and other sensitive information abusing a Windows Domain Controller's application programming interface (API) to simulate process from a remote domain controller using a technique called DCSync.
Members of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data from Active Directory, which may include current and historical hashes potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in Pass the Ticketor change an account's password as noted in Account Manipulation.
DCSync functionality has been included in the "lsadump" module in mimikatz. Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.
Example
DCSync an incredible technique that allows us to impersonate a DC (That is correct, impersonate!!) and request for the hashes of the DC.
This technique is an attack that allows to simulate the behavior of the Domain Controller (DC) in order to retrieve password data via domain replication. Utilizing the Microsoft Directory Replication Service Remote Protocol (MS-DRSR) to simulate the behavior of a DC the attack take's advantage of valid and necessary functions of Active Directory, which cannot be turned off or disabled.
DCSyncer
A tool built around mimikatz it applies the proper parameters and needed information to execute everything automatically it will dump the hashes for all user's no single hash supported, we need Domain Admins or a user with Replicating Directory Changes and Replicate Directory Changes All once these requirements are met we can achieve this attack, the tool is simple to execute and will do everything automatic.