any example about MS-DRSR use?

[dodgyturtle]

I need to read one or more accounts from a ntds.dit file, including secret attributes. I read that many people do it throw replication. Do you have any suggestions?

[oiweiwei]

The DRSR replication is used by DCSync attack leverages the GetNCChanges method: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/b63730ac-614c-431c-9501-28d6aca91894. There are a lot of information about anatomy of DCSync attack scattered throughout the internet as it's quite popular (example: https://adsecurity.org/?p=1729). But as usual for all MSRPC-related things, it's just the tip of iceberg and hours of poking and selecting right parameters at random.

Will check on it once have some time.

[oiweiwei]

Hello, @dodgyturtle! I've finally managed to check how is it working, so here is a basic sample: https://github.com/oiweiwei/go-msrpc/blob/main/examples/drsr_secrets_dump.go.