search

DCSync: Dump Password Hashes from Domain Controller

This lab shows how a misconfigured AD domain object permissions can be abused to dump DC password hashes using the DCSync technique with mimikatz.

It is known that the below permissions can be abused to sync credentials from a Domain Controller:

http://www.harmj0y.net/blog/redteaming/abusing-active-directory-permissions-with-powerview/arrow-up-right

hashtag
Execution

Inspecting domain's offense.local permissions, it can be observed that user spotless does not have any special rights just yet:

Using PowerView, we can grant user spotless 3 rights that would allow them to grab password hashes from the DC:

Below shows the above command and also proves that spotless does not belong to any privileged group:

However, inspecting offense.local domain object's privileges now, we can see 3 new rights related to Directory Replication added:

Let's grab the SID of the user spotless with whoami /all:

Using powerview, let's check that the user spotless S-1-5-21-2552734371-813931464-1050690807-1106 has the same privileges as seen above using the GUI:

Additionally, we can achieve the same result without PowerView if we have access to AD Powershell module:

See Active Directory Enumeration with AD Module without RSAT or Admin Privileges to learn how to get AD module without admin privileges.

hashtag
DCSyncing Hashes

Since the user spotless has now the required privileges to use DCSync, we can use mimikatz to dump password hashes from the DC via:

hashtag
References

http://www.harmj0y.net/blog/redteaming/abusing-active-directory-permissions-with-powerview/www.harmj0y.netchevron-right
LogoStealing User Passwords with Mimikatz DCSyncblog.stealthbits.comchevron-right
LogoSyncing Into the ShadowsMediumchevron-right
PreviousDCShadow - Becoming a Rogue Domain ControllerNextPowerView: Active Directory Enumeration

Last updated