Introduction: Extracting User Password Data with Mimikatz DCSync
Mimikatz provides a variety of ways to extract and manipulate credentials, but probably one of the most useful and scary ways is using the DCSync command. This attack simulates the behavior of a domain controller and asks other domain controllers to replicate information using the Directory Replication Service Remote Protocol (MS-DRSR). Basically, it lets you pretend to be a domain controller and ask for user password data. Most importantly, this can be done without running any code on a domain controller as opposed to the other ways Mimikatz will extract password data. This can be used by attackers to get any account’s NTLM hash including the KRBTGT account, which enables attackers to create Golden Tickets. The trickiest part of this attack is that it takes advantage of a valid and necessary function of Active Directory, so it cannot be turned off or disabled.
Who Can Perform a DCSync Attack?
Performing a DCSync is quite simple. The only pre-requisite to worry about is that you have an account with rights to perform domain replication. This is controlled by the Replicating Changes permissions set on the domain. Having the Replicating Changes All and Replicating Directory Changes permission will allow you to perform this attack.
By default, this is limited to the Domain Admins, Enterprise Admins, Administrators, and Domain Controllers groups. If you would like to quickly find any users who can perform the DCSync attack outside of these default permissions the following script will help. This will enumerate all of the domain-level permissions for any domain and find all permissions granted these rights with a RID above 1000, which will exclude all default permissions.
Running this will output an entry for each permission given to a user or group who probably shouldn’t be there:
If you do have the necessary rights, the rest is quite simple. Simply execute the following command:
Lsadump::dcsync /domain:[YOUR DOMAIN] /user:[ANY USER WHOS PASSWORD DETAILS YOU WANT]
Here is that command to retrieve the KRBTGT hash.
Another cool feature is that if the password is stored with reversible encryption, you can get a clear text password returned:
Protections from DCSync
The best protection is controlling the domain permissions outlined earlier and making only the necessary accounts have the ability to replicate information from your domain. Inevitably, some users will have this right, and they should be protected to avoid their password details being stored where attackers may compromise them. Start by running the script provided above against all domains to be sure you don’t have any improper users with rights to perform this attack.
How Attackers Are Stealing Your Credentials with Mimikatz:
To sign up for the Mimikatz blog series, please click here.
To register for the Mimikatz webinar, please click here.