0x22bb/hacktricks
1
2
Fork 0
mirror of https://github.com/carlospolop/hacktricks.git synced 2023-12-14 19:12:55 +01:00
Code Releases Activity

Merge pull request #681 from clem9669/patch-11

Browse source 
Update shadow-credentials.md
This commit is contained in:
Carlos Polop 2023-08-07 07:27:48 +02:00 committed by GitHub
parent f65d568428 26d9aa42f8
commit d762d11ebc
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 33 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

33
windows-hardening/active-directory-methodology/acl-persistence-abuse/shadow-credentials.md
View file

@ -76,6 +76,39 @@ Example: **`Whisker.exe add /target:computername$ /domain:constoso.local /dc:dc1
More options on the [**Readme**](https://github.com/eladshamir/Whisker).
{% endhint %}
## [pywhisker](https://github.com/ShutdownRepo/pywhisker) <a href="#7e2e" id="7e2e"></a>
pyWhisker is a Python equivalent of the original Whisker made by Elad Shamir and written in C#. This tool allows users to manipulate the msDS-KeyCredentialLink attribute of a target user/computer to obtain full control over that object.
It's based on Impacket and on a Python equivalent of Michael Grafnetter's DSInternals called PyDSInternals made by podalirius.
This tool, along with Dirk-jan's PKINITtools allow for a complete primitive exploitation on UNIX-based systems only.
pyWhisker can be used to operate various actions on the msDs-KeyCredentialLink attribute of a target
- *list*: list all current KeyCredentials ID and creation time
- *info*: print all info contained in a KeyCredential structure
- *add*: add a new KeyCredential to the msDs-KeyCredentialLink
- *remove*: remove a KeyCredential from the msDs-KeyCredentialLink
- *clear*: remove all KeyCredentials from the msDs-KeyCredentialLink
- *export*: export all KeyCredentials from the msDs-KeyCredentialLink in JSON
- *import*: overwrite the msDs-KeyCredentialLink with KeyCredentials from a JSON file
pyWhisker supports the following authentications:
- (NTLM) Cleartext password
- (NTLM) Pass-the-hash
- (Kerberos) Cleartext password
- (Kerberos) Pass-the-key / Overpass-the-hash
- (Kerberos) Pass-the-cache (type of Pass-the-ticket)
![](https://github.com/ShutdownRepo/pywhisker/blob/main/.assets/add_pfx.png)
{% hint style="info" %}
More options on the [**Readme**](https://github.com/ShutdownRepo/pywhisker).
{% endhint %}
## [ShadowSpray](https://github.com/Dec0ne/ShadowSpray/)
In several cases, the group "Everyone" / "Authenticated Users" / "Domain Users" or some other **wide group** contains almost all the users in the domain has some `GenericWrite`/`GenericAll` DACLs **over other objects** in the domain. [**ShadowSpray**](https://github.com/Dec0ne/ShadowSpray/) tries to **abuse** therefore **ShadowCredentials** over all of them