DCSync
So we remember that adunn
has DCSync privileges in the INLANEFREIGHT.LOCAL domain.
DCSync is a technique for stealing the Active Directory password database by using the built-in Directory Replication Service Remote Protocol
, which is used by Domain Controllers to replicate domain data. This allows an attacker to mimic a Domain Controller to retrieve user NTLM password hashes.
The crux of the attack is requesting a Domain Controller to replicate passwords via the DS-Replication-Get-Changes-All
extended right. This is an extended access control right within AD, which allows for the replication of secret data.
To perform this attack, you must have control over an account that has the rights to perform domain replication (a user with the Replicating Directory Changes and Replicating Directory Changes All permissions set). Domain/Enterprise Admins and default domain administrators have this right by default.
Using Get-DomainUser to View adunn's Group Membership
Now that we have the sid of the user we can search specifically for replication rights and check if our user adunn
possesses these rights
If we had certain rights over the user (such as WriteDacl), we could also add this privilege to a user under our control, execute the DCSync attack, and then remove the privileges to attempt to cover our tracks.
DCSync replication can be performed using tools such as Mimikatz, Invoke-DCSync, and Impacket’s secretsdump.py
Extracting NTLM Hashes and Kerberos Keys Using secretsdump.py
We can use the -just-dc-ntlm
flag if we only want NTLM hashes or specify -just-dc-user <USERNAME>
to only extract data for a specific user.
Viewing an Account with Reversible Encryption Password Storage Set
When this option is set on a user account the passwords are stored using RC4 encryption. The trick here is that the key needed to decrypt them is stored in the registry (the Syskey) and can be extracted by a Domain Admin or equivalent. Tools such as secretsdump.py
will decrypt any passwords stored using reversible encryption while dumping the NTDS file either as a Domain Admin or using an attack such as DCSync. We can enumerate this using the Get-ADUser
cmdlet:
Checking for Reversible Encryption Option using Get-DomainUser
then we wan read the password just like this ->
We can perform the attack with Mimikatz as well. Using Mimikatz, we must target a specific user. Here we will target the built-in administrator account. We could also target the krbtgt
account and use this to create a Golden Ticket
for persistence, but that is outside the scope of this module.
Also it is important to note that Mimikatz must be ran in the context of the user who has DCSync privileges. We can utilize runas.exe
to accomplish this:
This will spawn a shell for us, in this new shell we can run mimikatz ->
Perform a DCSync attack and look for another user with the option "Store password using reversible encryption" set. Submit the username as your answer.
What is this user's cleartext password?
after ssh to htb-student on through RDP like said at the beginning at the course ->
Perform a DCSync attack and submit the NTLM hash for the khartsfield user as your answer.
Last updated