Shadow Credentials
Last updated
Last updated
Before jumping into exploiting Shadow Credentials, I highly recommend reading the on shadow credentials.
There are three prerequisites for this attack to be performed:
The ability to write to the msDS-KeyCredentialLink
attribute on the target.
A DC on the domain must be configured to support PKINIT.
After identifying a user account or machine account where the msDS-KeyCredentialLink
attribute can be written to, can be used to essentially automate the exploitation from a Windows machine:
Following running Whisker, it will provide a Rubeus command that can be executed in order to pull the targets TGT or NTLM hash.
Ntlmrelayx also supports exploiting shadow credentials and can be used as follows: