Now that we have a Domain Admin account, another step that can be taken is to run "DCSync". DCSync effectively impersonates a Domain Controller and requests account password data from the targeted Domain Controller. This will allow an attacker to potentially maintain persistence by acquiring more credentials across the domain.
As always, this is more of a step-by-step walkthrough on how the actions are performed. There are many other blogs that go into further detail on the attack and how to mitigate. I will not be doing that here.
To continue about our example, we will assume the following:
- We have gained physical access with a rogue windows machine
- We plugged into the network and have obtained an IP address
- We used responder to capture credentials
- We performed kerberoasting to extract service account passwords.
- Cracked the password offline to acquire a Domain Admin account
Now, the beauty of DCSync, is that we can run this remotely on the network to communicate with the Domain Controller. Just think a moment how dangerous this is. Effectively, we can use our rogue windows machine that has host based controls and issue Mimikatz DCSync to obtain password data from our targeted Domain Controller. Let's see how easy this is done.
As before, on our rogue windows machine, we issue the "runas" command to connect to our domain with our newly acquired Domain Admin credentials:
We start powershell, import the powersploit/recon module and acquire our Domain Controller:
To confirm above, our Domain Controller is "LAB-DC01.geoda-lab.com". We now drop down back to our command prompt, bring up mimikatz and execute the following command:
lsadump::dcsync /domain:<Domain> /user:<User we want to capture> /dc:<domaincontroller>
As you can see above, we demonstrated capturing svc.iisadmin account, but we can perform this on any user we have enumerated on the network.
Additionally, if I would want to dump the entire user database, I can use "/all" and even "/csv" to make it easier to read:
At this point, I can take these hashes offline and begin cracking.
I hope this has been helpful.
-geoda