Last updated
Last updated
Whilst Kerberos pre-authentication is typically carried out using a symmetric key derived from a client's password, asymmetric keys are also possible via Public Key Cryptography for Initial Authentication (PKINIT). If a PKI solution is in place, such as Active Directory Certificate Services, the domain controllers and domain members exchange their public keys via the appropriate Certificate Authority. This is called the Certificate Trust model.
There is also a Key Trust model, where trust is established based on raw key data rather than a certificate. This requires a client to store their key on their own domain object, in an attribute called msDS-KeyCredentialLink. The basis of the "shadow credentials" attack is that if you can write to this attribute on a user or computer object, you can obtain a TGT for that principal. As such, this is a DACL-style abuse as with RBCD.
Along with his excellent on the subject, published a tool called , which makes exploiting this very easy. First, we want to list any keys that might already be present for a target - this is important for when we want to clean up later.
Add a new key pair to the target.
And now, we can ask for a TGT using the Rubeus command that Whisker provides.
Whisker's clear command will remove any and all keys from msDS-KeyCredentialLink. This is a bad idea if a key was already present, because it will break legitimate passwordless authentication that was in place. If this was the case, you can list the entries again and only remove the one you want.