How to perform DC Sync Attack in Active Directory?

What is DC Sync Attack?

It is a sophisticated technique used by attackers to gain control over an entire Active Directory environment. This attack allows an attacker to Act as the Domain Controller (DC) and request user’s credential information like password hashes. DC Sync attack leverages the Directory Replication Service (DRS) Remote Protocol (MS-DRSR). This protocol is used by domain controllers to synchronize data, including user credentials, across the network.

What are the requirements for DC Sync Attack?

To perform the DC Sync Attack the attacker needs to have gained a high level of privileges within the AD Environment. The attacker at least should have Replicating Directory Changes permission enabled to any of these .

Domain Admin
Enterprise Admin
Administrator Account with Delegated Permissions

How to make a user vulnerable to DC Sync Attack?

Step 1. Enable Advanced Features in Active Directory Users and Computers:

Open Active Directory Users and Computers.
From the top menu, click on View, then select Advanced Features to enable it.

Step 2. Navigate to Server Properties:

In the Active Directory Users and Computers window, locate and right-click on your Domain Controller or Server object.
Select Properties from the context menu.

Step 3. Access Security Settings:

In the Properties window, click on the Security tab.

Step 4. Check User Permissions:

Review the list of users and groups available under the Security tab.
Select any specific user or group from the list that you want to check.
Scroll down to find Replicating Directory Changes ALL permissions.
If the permission is enabled, it means that this user or group has the ability to replicate directory changes across the domain, including sensitive data.

Tools used for DC Sync Attack.

Mimikatz : Mimikatz is an open-source application that allows users to view and save authentication credentials such as Kerberos tickets. The toolset works with the current release of Windows and includes a collection of different network attacks to help assess vulnerabilities.

How to perform DC Sync Attack?

Step 1: Launch Mimikatz with Elevated Privileges

Open Mimikatz on the machine where the vulnerable user account is compromised.
Ensure that you Run as Administrator to have the necessary privileges for executing sensitive commands.

Step 2: Execute the DC Sync Command

Run the following command in Mimikatz:

lsadump::dcsync /domain:server.local /user:Rosetta.Jena

Explanation:

lsadump::dcsync: This command instructs Mimikatz to perform a DC Sync operation, mimicking a Domain Controller to request directory replication data.
/domain:server.local : Specifies the target domain where the Active Directory resides (replace server.local with the actual domain name).
/user:Resetta.Jena: Indicates the specific user account whose data is being requested. In this case, it is the Rosetta.Jena account. The command will fetch credentials, including password hashes, for this user.

Step 3: Retrieve the Hash

The command will output the NTLM hash for the Rosetta.Jena user.
This NTLM hash can then be used for further attacks, such as pass-the-hash attacks or for cracking the password.

Step 4: Crack the Password Using John the Ripper or Hashcat

Take the obtained hash and input it into password-cracking tools like John the Ripper or Hashcat.
These tools can be used to decode the hash and reveal the original password, especially if the password is weak or follows common patterns.

Why This Attack Is So Powerful?

This attack is highly dangerous because it allows the attacker to retrieve the password hash of any user in the Active Directory environment, including high-privilege accounts like Domain Admins and even the Domain Controller itself.
Since the DC Sync attack exploits the replication process, it can extract sensitive credentials without directly interacting with the domain controller itself. This means that an attacker can gain access to the keys of the kingdom stealthily, without triggering alarms typical of more overt attacks.