🐲
OSCP Notes
  • 🐲OSCP Notes
  • 🐲OSCP Methodology
  • 💡Misc
    • Metasploit
    • Antivirus Evasion
    • Password attacks
    • Reverse Shells
    • Port Forwarding, Tunneling and Pivoting
      • Local Port Forwarding
      • Remote Port Forwarding
      • Dynamic Port Forwarding
      • Lingolo-ng
    • Information Gathering
      • Passive Reconnaissance
        • Whois
        • Google Dorks
        • NetCraft
        • Git Repository
      • Active Reconnaissance
        • DNS Enumeration
        • Host Discovery
        • Port scanning
        • SMTP - 25
        • SNMP
  • Linux
    • Local Enumeration
    • Local Privileges Escalation
      • Scheduled tasks
      • Password Authentication
      • Monitor Processes
      • SetUID Binaries and Capabilities
      • Sudoers
      • Kernel Exploits
  • Windows
    • 🧠Mindmap
    • 🥝Mimikatz Basics
    • Enumeration
      • External Enumeration
      • Local Enumeration
      • Active Directory
        • PowerView
    • NTLM Hashes
    • Local Privilege Escalation
      • Service Binary Hijacking
      • Service DLL Hijacking
      • Unquoted Service Paths
      • Scheduled Tasks
      • Token impersonation
      • Backup Operators Group
    • Lateral Movement
      • WMI and WinRM
      • PsExec
      • Pass The Hash
      • Overpass The Hash
      • Pass The Ticket
      • DCOM
    • Persistence
      • Golden Ticket
      • Shadow Copy
    • Authentication Attacks
      • AS-REP Roasting
      • Kerberoasting
      • Password Spray
      • Silver Ticket
      • DC Sync
    • Client Side
    • NTLM Authentication
    • Kerberos Authentication
    • Cached Credentials
  • Web attacks
    • WordPress
    • SQL Injection (SQLi)
    • Command Injection
    • Directory Traversal
    • Local File Inclusion (LFI)
    • File Upload
Powered by GitBook
On this page
  • Introduction
  • Performing the attack
  • Mimikatz
  • Impacket
  1. Windows
  2. Authentication Attacks

DC Sync

Introduction

In Active Directory, domain controllers replicate data to stay synchronized, using the DRS Remote Protocol to request updates like user account changes.

DC Sync attack exploits this process by impersonating a domain controller and replicating sensitive information, such as password hashes.

In order to perform DC Sync the following privileges are required:

  • DS-Replication-Get-Changes

  • DS-Replication-Get-Changes-All

These privileges often granted to Domain Admins or Enterprise Admins.

DC Sync attack allows the attacker to gain further access and launch attacks like Golden Tickets.

Performing the attack

Mimikatz

lsadump::dcsync /user:<user>

Impacket

impacket-secretsdump <domain>/<username>:"<password>"@<ip_address>
PreviousSilver TicketNextClient Side

Last updated 7 months ago