Active Directory Attack - DCSync
DCSync is a feature in Mimikatz located in the lsadump module. DCSync impersonates the behavior of Domain Controller and requests account password data from the targeted Domain Controller. DCSync is attack technique in the post exploitation phase in Internal Pentest.
In simple words, if you already compromised Domain Admin and you want to dump hashes of particular user you can use this functionality instead of dumping entire NTDS.DIT file which in turn might generated many alerts on SIEM.
Lets demo this attack in our lab setup. Download the fresh copy of Mimikatz and transfer to the compromised workstation. Open the cmd.exe with Domain Admin privileges and perform below mentioned steps inorder to pull account information of victim1 user on domain.
Looking at above output, you get list of victim1's hashes along with history of earlier set password hashes too. So if you crack above hashes, you can get the pattern followed by victim1 to set passwords. But cracking the hashes might take time, is there any nifty way to recover cleartext password using above technique ? YES, you can import Powersploit using powershell and invoke cmdlet Invoke-DowngradeAccount for user victim1.
Basically Invoke-DowngradeAccount enables the reverse encryption for particular user (Ideally this setting is disabled). Enabling reverse encryption in AD stores the respective users password in clear-text.
Since now we enabled reverse encryption for victim1 user, can DCSync give us cleartext credentials? YES, but for that victim1 need to login again, so its credentials are captured in AD. So next day (or force logoff victim1) when we run DCSync again, we get cleartext credentials of victim1.
mimikatz # lsadump::dcsync /domain:hackable.com /user:victim1
But which user you can perform DCSync attack ? The answer is account with rights to perform domain replication. Ideally Administrators, Domain Admins, or Enterprise Admins as well as Domain Controller computer accounts are able to run DCSync to pull password data. Below are highlighted replication permission for Domain Admins.
References :- https://adsecurity.org/?p=1729