This is a quick lab to familiarize with a technique called Shadow Credentials written about by Elad Shamir. This technique allows an attacker to take over an AD user or computer account if the attacker can modify the target object's (user or computer account) attribute msDS-KeyCredentialLink and append it with alternate credentials in the form of certificates.
Pre-requisites
Besides the ability to write the attribute msDS-KeyCredentialLink on a target user or computer, for this technique to work, the environment must be set up as follows:
Domain must have Active Directory Certificate Services and Certificate Authority configured.
Domain must have at least one DC running with Windows Server 2016 that supports PKINIT.
User Account Take Over
Overview
SAC1$ - is a computer account that is misconfigured and can be taken over. Everyone can edit its attribute msDS-KeyCredentialLink. This machine account is member of Domain Admins group, therefore this is the account that we will take over in this lab, effectively elevating privileges to Domain Admin.
regular.user - a low privileged user that we will use to execute the technique from.
user-server - the computer from which the technique will be executed with privileges of regular.user.
first-dc - domain controller that we will compromise using a compromised sac1$ computer account.
Walkthrough
Since Everyone is allowed to WRITE to the SAC1$ computer account (as mentioned in the overview section), we can execute the technique from any low privileged user's security context and elevate privileges to Domain Admin.
Let's add the shadow credentials (remember, they will be added by modifying the msDS-KeyCredentialLink attribute) to the vulnerable computer account sac1$ using a tool called whisker:
regular.user@first.local
Whisker.exe add /target:sac1$
Below shows that whisker successfully updated the msDS-KeyCredentialLink attribute and added the shadow credentials for that account.
At the same time, whisker spits out a rubeus command that we can then use against the target account sac1$ to pull its TGT and/or reveal its NTLM hash (for use in Pass The Hash attacks):
After the shadow credential has been added to the account, we can confirm that the msDS-KeyCredentialLink was indeed added/written to:
regular.user@first.local
get-netcomputer sac1
We're now ready to take over the sac1$ computer account and elevate to Domain Admin. Before that, let's confirm we cannot access the c$ share on the domain controller first-dc.first.local with regular.user privileges:
Let's now pull a TGT for SAC1$ using the shadow credentials that we've just added and try accessing the c$ on the domain controller first-dc once again:
As mentioned earlier, computer accounts and therfore computers themselves can too be compromised using shadow credentials and this section shows how to do it.
Overview
User-server2$ - AD computer object that is vulnerable - Everyone has full control over it. This is the computer we will take over and gain access to its administrative c$ share.
User-server - computer from which the technique will be executed.
Regular.user - a low privileged user account logged on to user-server.
Walkthrough
First step is the same as in the user account take over - add shadow credential to the target computer user-server2$:
Whisker.exe add /target:user-server2$
Once shadow credentials are added to user-server2$, let's pull its TGT:
Before gaining administrative access over the computer user-server2, let's check we do not already have admin privileges there:
Let's now request a TGS for admin@first.local (domain admin) to the CIFS (SMB) service on the target computer user-server2.first.local that we want to take over and attempt listing its administrative c$ once again:
Below shows how the TGS is requested and imported to memory, which in turn enables our low privileged user regular.user to authenticate to the user-server2.first.local and list its C$ share with an impersonated Domain Admin user admin:
Below simply shows the TGS that we have in memory for accessing CIFS service on user-server2.first.local while impersonating admin@first.local:
Operating from Linux
If you're operating from a Linux box, you may execute the Shadow credentials technique using pyWhisker (whisker ported to Python) by https://twitter.com/_nwodtuhs.