Account Takeover using Shadow Credentials
The new release of Metasploit Framework includes a Shadow Credentials module added by smashery used for reliably taking over an Active Directory user account or computer, and letting future authentication to happen as that account. This can be chained with other modules present in Metasploit Framework such as windows_secrets_dump.
Details
The module targets a ‘victim’ account that is part of a domain where the Domain Controller is running Windows Server 2016 and newer.
Using an account that has write permissions over another (or its own) user account object, the module adds a public key credential object to the user account's msDS-KeyCredentialLink property. After this, a Ticket Granting Ticket can be requested using the get_ticket module, which subsequently can be used for a pass-the-ticket style attack such as auxiliary/gather/windows_secrets_dump. This can be performed when a user contains the GenericWrite permission over another account. By default, Computer accounts have the ability to write their own value (whereas user accounts do not).
The shadow credentials added persist between password changes, making it a very useful technique for getting the TGT.
The steps for this technique (performed automatically by the module) are:
Generate and store a key and certificate locally
Store the certificate’s public key as a KeyCredential
On the domain controller, update the msDS-KeyCredentialLink property to include the newly generated KeyCredential object
After the above steps, you can:
Obtain a TGT & NTLM hash
Perform further attacks using the above values
New module content (3)
Shadow Credentials
Authors: Elad Shamir and smashery
Type: Auxiliary
Pull request:
metasploit
weekly
