INTRODUCTION
In many environments Domain Controller and Active Directory are used to manage the network, users and computers. The organizations often need the existence of more than one Domain Controller for its Active Directory. For keeping an environment with more than one Domain Controller consistent, it is necessary to have the Active Directory objects replicated through those DCs.
Domain Controller suffers from misconfigurations which will let DC vulnerable for attackers, one of the famous vulnerability attackers abuse is exploit Microsoft feature [MS-DRSR]: Directory Replication Service (DRS) Remote Protocol which is used to replicate users hashes from Domain Controller to another.
WHAT IS DCSYNC
DCSync is a feature in the famous tool Mimikatz in Lsadump module which is used to pull all
password hashes from targeted Domain Controller.
DCSync is used by both Penetration testers and Attackers to pull passwords hashes from Domain
Controller to be cracked or used in lateral movement or creating Golden Tickets.
HOW DCSYNC WORK
DCSync is impersonating Domain Controller and requests account password data from the targeted
Domain Controller by sending DSGetNCChanges request.
In steps:
1- Discovers Domain Controller in the specified domain name.
2- Requests the Domain Controller to replicate the user credentials via GetNCChanges (leveraging
Directory Replication Service (DRS) Remote Protocol)
In details, A client Domain Controller sends an IDL_DRSGetNCChanges request to a server to replicate directory objects in a given NC from the server NC replica to the client NC replica. The response contains a set of updates that the client is to apply to its NC replica.

DCSYNC RIGHTS
To do DCSync there are 3 rights needed to be delegated to the user at the domain level in order for the
user account to get all passwords data using DCSync:
1- Replicating Directory Changes (DS-Replication-Get-Changes)
2- Replicating Directory Changes All (DS-Replication-Get-Changes-All)
3- Replicating Directory Changes in Filtered Set (required in some environments)

Members of the Domain Admins and Enterprise Admins and Domain Controller computer accounts
have these rights by default.
Normal domain user accounts can do DCSync with 3 rights mentioned above.

DCSYNC ATTACK DEMONSTRATION
Two tools will be used to demonstrate DCSync, Mimikatz and SecretsDump.py from Impacket.
Attacker exploit this feature after gaining Domain Admin privileges then pull all passwords hashes from
Domain Controller to be cracked or used in lateral movements.
Mimikatz: DCSync in Mimikatz is under lsadump module and can be done as follow:

Command: [ # lsadump::dcsync /domain:<DOMAIN> /user:<Username> ] (for single user)
Command: [ # lsadump::dcsync /domain:<DOMAIN> /all ] (for all users hashes)

SecretsDump.py: using SecretsDump script to dump all password hashes is as follow:
Command: [ secretsdump.py -just-dc-ntlm <DOMAIN>/<USER>@<DOMAIN_CONTROLLER> ]

HUNTING FOR USERS WITH DCSYNC PERMISSIONS
Using Powerview we can enumerate domain users and find who has Replicating Directory Changes
permission (DCSync rights).
Command: [ Get-ObjectACL -DistinguishedName "dc=companyx,dc=com" -ResolveGUIDs
| ? { ($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -
match 'GenericAll') } | select IdentityReference
]

DEPLOY DCSYNC USING DIFFERENT WAYS
After gaining Domain Admin privileges it is possible to grant any domain user DCSync rights using
different ways:
1- Powerview: PowerView is a PowerShell tool to gain network situational awareness on
Windows domains. It also implements various useful metafunctions, several functions for
the enumeration and abuse of domain trusts also exist.
using PowerView function (Add-ObjectAcl) we can easily add all three permissions to the
domain root for any user.
Command: [ Add-ObjectACL -TargetDistinguishedName "dc=companyx,dc=com"
-PrincipalSamAccountName Attacker -Rights DCSync
]
OR
Command: [ Add-ObjectACL -PrincipalSamAccountName Attacker -Rights
DCSync ]

2- Using ADSI on Domain Controller: Log in to DC > Open ADSI > Right click on DC > Properties
> Security > Add user > grant chosen user the 3 DCSync rights.

HOW TO DETECT DCSYNC AND MITIGATION
It’s very important to be aware about what is going in the network and domain, 2 ways will be
explained to detect DCSync:
1- Powershell Script: we need to audit who has the DS-Replication-Get-Changes-All rights on the
root of the domain. A full list of Extended Rights which lists the object GUIDs (which is what you
are checking for in the script below):
Script:

import-module activedirectory;
# Define AD locations
$root = [ADSI]"LDAP://RootDSE"
$domainpath = "AD:" + ($root.defaultnamingcontext).tostring();
$domaincontrollerpath = "AD:OU=Domain Controllers," +
($root.defaultnamingcontext).tostring();
[System.Collections.ArrayList]$pathstocheck = @();
[void]$pathstocheck.add($domainpath);
[void]$pathstocheck.add($domaincontrollerpath);
# The extended rights to look for
$extendedrightscheck = "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2";
# Define array to save identities to
[System.Collections.ArrayList]$userswithextendedrights = @();
foreach ($pathtocheck in $pathstocheck) {
# Get ACEs

$aces =(get-acl -path $pathtocheck).access| where {(($_.objecttype
-eq $extendedrightscheck) -and($_.accesscontroltype -eq “allow”))};

foreach ($ace in $aces) {
[void]$userswithextendedrights.add(($ace.identityreference).tostring());
}
}
# Remove duplication
$userswithextendedrights = $userswithextendedrights | select -unique

2- Wireshark: Finding if DCSync is being used in the network is to monitor the network traffic and
find if protocol DRSUAPI is used or not.
A- Identify all Domain Controller IP addresses and add them to (Replication Allow List).
B- Configure IDS to trigger if DsGetNCChange request originated by an IP not on the
(Replication Allow List).

CAPTURE PASSWORD IN CLEARTEXT
DCsync retrieves all passwords hashes, what if you want cleartext password? Yes its possible,
using PowerView to change how AD store password to unencrypted format for specific user ( Store
Password using reversible encryption
)
Powerview:
Command: [ Invoke-DowngradeAccount -samaccountname Victim ]
or you can do it from Domain Controller as explained in pictures.

From Domain Controller:

Then all you have to do is wait for that user to log in again and the password will be saved unencrypted,
then do DCSync to get the cleartext password!

After the user log in again, the password will be saved unencrypted and you can do DCSync to get the cleartext password!

USING DCSYNC AS PERSISTENCE TECHNIQUE
After gaining Domain Admin Privileges, choose random normal domain user and grant this user
DCSync rights using Powerview or from ADSI on Domain Controller.
Anytime you want to pull passwords hashes just do DCSync using mimikatz or secretsdump by that user.

Source:

https://dl.packetstormsecurity.net/papers/general/ad-dcsync.pdf