Support for Shadow Crdential certificate ?

[Dramelac]

If an account is compromised with pywhisker.py during a shadow cred attack, a self-signed certificate is registered in LDAP, enabling PKINIT authentication under normal circumstances. However, if the DC returns the error KDC_ERR_PADATA_TYPE_NOSUPP, would it still be possible to connect to LDAPS using this certificate?

python3 passthecert.py -action whoami -crt shadow_cred.crt -key shadow_cred.key -domain lab.local -dc-host "dc.lab.local" -debug       
Impacket v0.11.0 - Copyright 2023 Fortra

[+] Impacket Library Installation Path: /opt/my-resources/tools/PassTheCert/Python/venv/lib/python3.11/site-packages/impacket
[+] The new computer will be added in CN=Computers,dc=lab,dc=local
Traceback (most recent call last):
  File "/opt/my-resources/tools/PassTheCert/Python/passthecert.py", line 685, in <module>
    manage.whoami()
  File "/opt/my-resources/tools/PassTheCert/Python/passthecert.py", line 453, in whoami
    raise Exception('whoami command failed, certificate seems not trusted by the Active Directory')
Exception: whoami command failed, certificate seems not trusted by the Active Directory
whoami command failed, certificate seems not trusted by the Active Directory

Thank you !

[ThePirateWhoSmellsOfSunflowers]

Hello!

Yes you are right, certificates set with shadow cred attack cannot be used to do authentication with schannel.

:sunflower:

[enj5oy]

Hello!

Yes you are right, certificates set with shadow cred attack cannot be used to do authentication with schannel.

🌻 @ThePirateWhoSmellsOfSunflowers Hello, could you please provide an explanation for why authentication with the certificate from PyWhisker is not successful?

[ThePirateWhoSmellsOfSunflowers]

Hello @enj5oy! I wrote a comment in #20, maybe it answers your question.

:sunflower: