Domain Controller Sync
This is one of the quietest methods to steal domain information from a Domain Controller. For the sake of redundancy DC have a backup server that synchronizes with the main DC at regular intervals. We can pose as a redundant DC and request for an update. Fortunately, the main DC looks only at the legitimacy of the SID and not the origin or any other authentication methods to validate the authenticity of the request.
The following command can be used through mimikatz to download the user passwords and hashes from the Domain Controller,
The NTLM hash obtained from this exercise can be cracked using hashcat using the following command,
The same attack can be performed from Linux using Impacket.
Last updated