Dissecting The Dcsync Attack
DCSync refers to a special (non standard) permission granted to AD Users or AD User Groups.
This permission is the Replicating Directory Changes checkbox. I had to manually add this permission. After some powershell testing I found that by default, even though my victim account had been granted Domain admin privilege, it did not have this permisson granted.
Carrying out the attack is done in a few steps.
- Get mimikatz onto the client(victim) vm.
- Call the dcsync module in mimikatz on the user and domain as specified in the command line arguments to mimikatz.
mimikatz # privilege::debug
mimikatz # lsadump::dcsync /pentestlab.com /user:kirk
This command returns the NTLM hash for the domain admin user account “firstname.lastname@example.org”.
From here we can PTH, pass the hash using the NTLM hash.