DCSync Attack: Stealing Password Hashes from Active Directory

• 2 min read

Active Directory (AD) is the backbone of authentication and authorization in most enterprise networks. One of the most powerful attacks against AD is the DCSync attack, which allows attackers to simulate the behavior of a Domain Controller (DC) and extract sensitive credential data, including password hashes and Kerberos keys.

What is a DCSync Attack?

A DCSync attack is a type of Active Directory attack where an attacker queries a domain controller to obtain account credentials without ever compromising the DC directly. Essentially, it abuses replication privileges in AD to “ask” the domain controller to provide the password hashes of user accounts.

With this attack, an attacker can obtain:

  • NTLM hashes
  • Kerberos Ticket-Granting Ticket (TGT) keys
  • Passwords of domain administrators

This gives near-complete control over the domain if executed successfully.

How DCSync Works

1. Required Permissions

For DCSync, the attacker needs one of these privileges:

  • Replicating Directory Changes
  • Replicating Directory Changes All
  • Membership in privileged groups such as Domain Admins or Enterprise Admins

These permissions allow an account to replicate directory objects, including user credentials.

2. Core Mechanism

DCSync leverages the MS-DRSR protocol (Microsoft Directory Replication Service Remote Protocol) to request password-related attributes from a DC.

Key attributes that can be extracted include:

  • unicodePwd – The cleartext password (if retrievable)
  • ntPwdHistory – NTLM hash history
  • lmPwdHistory – LM hash history
  • dBCSPwd – LM/NTLM hash
  • supplementalCredentials – Kerberos keys

Attackers do not need physical access to a DC. They simply impersonate a DC and request replication data.

Tools Commonly Used for DCSync

  1. Mimikatz – The go-to tool for DCSync attacks 
    # Example: Dump all domain users' hashes
mimikatz # privilege::debug
mimikatz # lsadump::dcsync /domain:example.local /user:Administrator
  2. Impacket – Python library for performing DCSync via scripts 
    # Using secretsdump.py to dump hashes via DCSync
python3 secretsdump.py example.local/username:password@dc.example.local
  3. PowerView – Useful for discovering accounts with replication privileges

Exploitation Scenario

Here’s a typical DCSync attack workflow:

  1. Initial Access The attacker compromises a low-privileged domain account.

  2. Privilege Escalation The attacker identifies accounts with replication privileges, often using PowerView or BloodHound.

  3. Perform DCSync Using Mimikatz or Impacket, the attacker extracts password hashes of high-value accounts like Domain Admins.

  4. Persistence & Lateral Movement With admin credentials, the attacker can:

  • Create backdoor accounts
  • Extract sensitive data
  • Access all resources in the domain

Defending Against DCSync

  1. Monitor Replication Permissions Limit Replicating Directory Changes and Replicating Directory Changes All privileges to only domain controllers and trusted accounts.

  2. Monitor Event Logs

  • Event ID 4662 (object access) and 4672 (special privileges) can indicate suspicious replication attempts.

  1. Use Tiered Administrative Model Separate admin accounts based on privilege tiers to reduce the risk of credential compromise.

  2. Implement LAPS (Local Administrator Password Solution) Reduces lateral movement risk with local admin accounts.

Conclusion

The DCSync attack is a highly dangerous technique that highlights how misconfigured AD permissions can allow attackers to extract credentials without touching the domain controllers directly. Understanding this attack is crucial for both penetration testers and security teams to detect, mitigate, and harden Active Directory environments.