DCSync
DSR
Most organizations need more than one domain controller for their Active Directory and to maintain consistency among multiple Domain controller, it is necessary to have the Active Directory objects replicated through those DCs with the help of MS-DRSR refer as Microsoft feature Directory Replication Service (DRS) Remote Protocol that is used to replicate users data from one DC to another. Taking Advantage of this feature the attack abuse the MS-DRSR using Mimikatz-DCSYNC.
Any member of Administrators, Domain Admins, or Enterprise Admins as well as Domain Controller computer accounts are able to run DCSync to pull password data.
DCSYNC Attack
The Mimikatz DCSYNC-function allows an attacker to replicate Domain Controller (DC) behaviour. Typically impersonates as a domain controller and request other DCβs for user credential data via GetNCChanges.
But compromised account should be a member of administrators, Domain Admin or Enterprise Admin to retrieve account password hashes from the others domain controller. As a result, the intruder will build Kerberos forged tickets using a retrieved hash to obtain any of the Active Directory βs resources and this is known as Golden Ticket attack.
For this attack to work, we need to have a user account with domain admins membership.
Using Mimikatz DCSync
Read-Only Domain Controllers are not allowed to pull password data for users by default.
PowerShell Empire
the Empire has a similar module that retrieves the hash of the entire domain controller users account.
Metasploit
If you have meterpreter session of the victim machine who account is member of domain admin, then here also you can execute Mimikatz-DCSYNC attack in order to obtain userβs password.
Impacket secretsdump
Last updated