Shadow Credentials
Shadow credentials attack consist of using the GenericAll or GenericWrite privilege on a user or computer to set up the attribute msDS-KeyCredentialLink. explanations here
You can get the dacl movement on shutdown (@_nwodtuhs) website, the hacker recipes : https://www.thehacker.recipes/ad/movement/dacl
This attack is very usefull when you got Write on another user.
With genericWrite you can only do:
Target Kerberoasting : add an SPN to a user, do a kerberoasting, unset the spn. But the user password must be weak to the kerberoasting attack work.
Set up a logon script : change ldap parameters to set up a logon script. but it implies that the user log to his computer, an smb server or a share to offer the script and setup a script that bypass the security solutions in place)
shadow credentials : the attack we want to do, we need a cetificate service on the domain
With GenericAll you can :
ForceChangePassword : but on a real pentest you don’t want to block a user by changing his password. And this is not very stealthy too. So if you can do another way this is fine :)
All the attacks available in the genericWrite part.
So if ADCS is enabled on the domain, and we got write privilege on msDS-KeyCredentialLink, we can do the shadow credentials attack to get a direct access on the user account. And this seems to be the better idea in this case on a real pentest.
Shadow credentials is now include with certipy (this attack can also be done with pywisker )
joaquin.Pereida@maryland.local > Marisol.Pedrosa > Teresa.Perezenum4linux -u joaquin.Pereida@maryland.local -p horse -G 192.168.56.12Start BloodHound and Neo4j
sudo /usr/bin/./neo4j console
sudo /opt/tools/BloodHound4.2-ly4k/BloodHound-linux-x64/BloodHound --no-sandbox --disable-dev-shm-usage
And we can do the same from Marisol to teresa.Perez
Last updated