Using Domain Controller Account Passwords To HashDump Domains
@Carlos_Perez haha, if yes, it will be a 0d ;)— 🥝🏳️🌈 Benjamin Delpy (@gentilkiwi) August 2, 2015
No, like always it needs some rights ;) DA is cool, maybe DC$ is enough
And then later on August 28th, again about the DC$ account (Domain Controller computer account):
Because DCSync is calling on “sync” based APIs of Active Directory, that are, by default, used only by Domain Controllers, all Domain Controller computer accounts would have the ability to do this as well as the Domain/Enterprise Admins.
Anyone who’s ever administered an Active Directory, knows that computer accounts change their passwords automatically. How often do they change them?
“Machine account passwords are regularly changed for security purposes. By default, on Windows NT-based computers, the machine account password automatically changes every seven days. Starting with Windows 2000-based computers, the machine account password automatically changes every 30 days.”
PSSSST!! That article is about how to DISABLE automatic password changing
Alright. So, I’m not going to go into “how” to get the hashes for a computer account, but if you’ve ever dumped passwords before, the computer accounts are the ones with the “$” on the end. Find the ones that are domain controllers, match up the hashes, and use Impacket’s secretsdump.py to your heart’s content. (Or until the password changes for that DC, then you use another one to dump it again, oh, did I not mention that computers don’t change their passwords all at the same time in that 30 day window?)
Remember, Domain Controller’s don’t have a lot of other permissions, so you need to use the “
-just-dc” option in SecretsDump in order for it to just do the domain dump: