Active Directory Attack - DCSync

DCSync is a feature in Mimikatz located in the lsadump module. DCSync impersonates the behavior of Domain Controller and requests account password data from the targeted Domain Controller. DCSync is attack technique in the post exploitation phase in Internal Pentest.

In simple words, if you already compromised Domain Admin and you want to dump hashes of particular user you can use this functionality instead of dumping entire NTDS.DIT file which in turn might generated many alerts on SIEM.

Lets demo this attack in our lab setup. Download the fresh copy of Mimikatz and transfer to the compromised workstation. Open the cmd.exe with Domain Admin privileges and perform below mentioned steps inorder to pull account information of victim1 user on domain.

Looking at above output, you get list of victim1's hashes along with history of earlier set password hashes too. So if you crack above hashes, you can get the pattern followed by victim1 to set passwords. But cracking the hashes might take time, is there any nifty way to recover cleartext password using above technique ? YES, you can import Powersploit using powershell and invoke cmdlet Invoke-DowngradeAccount for user victim1.

Basically Invoke-DowngradeAccount enables the reverse encryption for particular user (Ideally this setting is disabled). Enabling reverse encryption in AD stores the respective users password in clear-text. 

Since now we enabled reverse encryption for victim1 user, can DCSync give us cleartext credentials? YES, but for that victim1 need to login again, so its credentials are captured in AD. So next day (or force logoff victim1) when we run DCSync again, we get cleartext credentials of victim1.

mimikatz # lsadump::dcsync / /user:victim1

But which user you can perform DCSync attack ? The answer is account with rights to perform domain replication. Ideally Administrators, Domain Admins, or Enterprise Admins as well as Domain Controller computer accounts are able to run DCSync to pull password data. Below are highlighted replication permission for Domain Admins.

Happy Hacking !!

References :- 


  1. As soon as you create a Kerberos password for authentication against clients it creates a expiration date of the password. g co recover

  2. This comment has been removed by the author.

  3. This comment has been removed by the author.

  4. Enjoyed your approach to explaining how it works, hope to see more blog posts from you. thank you!


  5. Nicely written and engaging article, especially for technical content.

    Remote office Backup

  6. nice information
    buy internet phone number
    online to make sure your organizations don’t fall short of this technological change. Be in the forefront as you grow our enterprises with the help of phone numbers. Australia local VoIP numbers can gain the benefit of a local presence for your business in Australia. The challenges of starting a business


Post a comment

Popular Posts