Dissecting The Dcsync Attack

DCSync refers to a special (non standard) permission granted to AD Users or AD User Groups.

screenshot

This permission is the Replicating Directory Changes checkbox. I had to manually add this permission. After some powershell testing I found that by default, even though my victim account had been granted Domain admin privilege, it did not have this permisson granted.

screenshot

Attack!

Carrying out the attack is done in a few steps.

  1. Get mimikatz onto the client(victim) vm.
  2. Call the dcsync module in mimikatz on the user and domain as specified in the command line arguments to mimikatz.

mimikatz # privilege::debug

mimikatz # lsadump::dcsync /pentestlab.com /user:kirk

This command returns the NTLM hash for the domain admin user account “kirk@pentestlab.com”.

What next?

From here we can PTH, pass the hash using the NTLM hash.

screenshot

Written on August 15, 2018