Amnesiac
  • Welcome
  • Intended Usage
  • Get-Started
    • Quick Start
  • Main Menu
    • Available Commands
    • Main Menu Structure
    • [0] Scan Network for Admin Access
    • [1] Single-Listener (single target)
    • [2] Global-Listener (multiple targets)
    • [3] Scan Network for Listening Targets
    • Bookmarks
    • Payload Types
    • Payload Delivery
    • Serving Scripts
    • Sessions Display
    • Targets
    • Terminate Sessions
  • Sessions
    • Core Commands
      • Download
      • Exit
      • GListener
      • GLSet
      • Help
      • Kill
      • OneIsNone
      • Scramble
      • Sync
      • Toggle
      • Upload
    • System Commands
      • AV
      • Net
      • Process
      • Services
      • Sessions
      • Software
      • Startup
    • User Activity
      • ClearLogs
      • Clipboard
      • History and ClearHistory
      • Keylog and KeylogRead
      • ScreenShot and Screen4K
    • Scripts Loading
      • Mimi
      • Patch and PatchNet
      • PInject
      • PowerView
      • Rubeus
      • TLS
    • Local Actions
      • Ask4Creds
      • AutoMimi
      • CredMan
      • Dpapi
      • GetSystem
      • HashGrab
      • Hive
      • Kerb
      • Migrate
      • Monitor
    • Domain Actions
      • DCSync
      • CredValidate
      • Impersonation
      • LocalAdminAccess
      • PassSpray
      • Remoting
      • SessionHunter
  • Beware
    • Encryption
    • Non-Domain-Joined systems
    • SessionID 0
    • Timeouts
Powered by GitBook
On this page
  1. Sessions
  2. Domain Actions

DCSync

Perform DCSync Attack | https://github.com/vletoux/MakeMeEnterpriseAdmin

Last updated 1 year ago

Amnesiac includes a DCSync functionality, which involves simulating the behavior of a Domain Controller (DC) to retrieve password data from another DC.

This functionality offers an alternative method for performing DCSync without using Mimikatz. If you prefer to perform DCSync using Mimikatz, you can load the module within Amnesiac and use the corresponding command.

To use the DCSync functionality, simply type DCSync in the Amnesiac console.

By default, executing the DCSync command will perform a standard DCSync operation.

Users have the option to include the "Hashcat" flag when running the DCSync command. This flag will format the retrieved password hashes into a format that is suitable for use with Hashcat.

Users can provide additional information, such as the target Domain and Domain Controller, to customize the DCSync operation

The ability to perform a DCSync attack is restricted to accounts with specific permissions in a Windows Active Directory environment. Here's who can typically perform a DCSync:

  1. Domain Admins: Members of the Domain Admins group naturally have the necessary permissions to perform a DCSync, as they have full control over the domain.

  2. Enterprise Admins: Members of the Enterprise Admins group, which have administrative rights across all domains within the Active Directory forest, can also perform a DCSync.

  3. Accounts with Replication Rights: More specifically, any account that has been granted the Replicating Directory Changes and Replicating Directory Changes All rights in the domain can perform a DCSync.

  4. Accounts with Delegated Permissions: In some cases, specific accounts may be delegated replication rights for various administrative purposes, such as for backup solutions or for directory synchronization in hybrid environments.

When you use the DCSync command within Amnesiac, the extracted password hashes are displayed on the screen for your immediate use. These hashes are not stored or saved anywhere by Amnesiac. If you wish to retain these hashes for future reference or analysis, you will need to manually capture and save them from the on-screen output.

Mimi