Jump to content

Title: DCSync Attack

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

DCSync 攻击

In August 2015, Benjamin Delpy (the author of the artifact Mimikatz) and Vincent Le Toux released a new version of Mimikatz, adding the DCSync function. Imitate a domain controller DC and request data from a real domain controller, such as password hash value of the account.

Before DCSync, you need to log in to the domain server to run the code on the domain server before you can get it.

The biggest feature of DCSync is that you can remotely obtain the desired user password information through synchronous replication of domain data without logging into the domain server.

It should be noted that if the object attacked by DCSync is a RODC domain controller, it will be invalid because RODC cannot participate in the replication of synchronous data.

原理

The principle of DCSync is very clear, and it uses data synchronous replication between domain controllers.

Discover the target domain controller in the network;

Directory Replication Service (DRS) Remote Protocol

Samba wiki's description of GetNCChanges includes :

When a DC (become a client DC) wants to get data from other DCs (become a server DC), the client DC will initiate a GetNCChanges request to the server DC. The data responded includes data that needs to be synchronized.

If there is a lot of data that needs to be synchronized, the above process will be repeated. After all, there is limited data for each response.

前提

If a user wants to launch a DCSync attack, he must have the following permissions :

1. Replicating Directory Changes (DS-Replication-Get-Changes)

2. Replicating Directory Changes All (DS-Replication-Get-Changes-All)

3. Replicating Directory Changes In Filtered Set

That is: By default, the domain administrator group has this permission.

20200507093022.png-water_print

20200507093039.png-water_print

攻击

20200507093111.png-water_print

防御

The principle of DCSync attack is to simulate the synchronous replication of data between servers initiated by the domain controller.

The best way to defend is to set a whitelist of domain controllers. In the domain, the number of domain controllers, IP address, and MAC address are very clear assets, and these assets are set on a whitelist that allows synchronization. Non-whitelisted IPs do not allow data synchronization

Scripts for obtaining all IPs in the domain :

1

2

3

PowerShell:Get-ADDomainController -filter * | select IPv4Address

or

[System.DirectoryServices.ActiveDirectory.Domain]:GetCurrentDomain().DomainControllers | select IPAddress

Detect synchronous replication of domain controller data from outside the whitelist on network devices

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.