Domain Controller Sync

This is one of the quietest methods to steal domain information from a Domain Controller. For the sake of redundancy DC have a backup server that synchronizes with the main DC at regular intervals. We can pose as a redundant DC and request for an update. Fortunately, the main DC looks only at the legitimacy of the SID and not the origin or any other authentication methods to validate the authenticity of the request.

The following command can be used through mimikatz to download the user passwords and hashes from the Domain Controller,

lsadump::dcsync /user:Administrator

The NTLM hash obtained from this exercise can be cracked using hashcat using the following command,

hashcat -m 1000 hashes.dcsync /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

The same attack can be performed from Linux using Impacket.

impacket-secretsdump -just-dc-user dave p42.com/<username>:"thisisapassword"@192.168.1.35

PreviousShadow Copy NextWindows Management Instrumentation

Last updated 2 years ago