This article explores the use of Shadow Credentials in Active Directory for stealthy persistence and privilege escalation. It highlights challenges with common tools and demonstrates how Metasploit can effectively bypass limitations to inject credentials and extract hashes.
Affected: Active Directory, Windows Server
Affected: Active Directory, Windows Server
Keypoints
- Shadow Credentials utilize the msDS-KeyCredentialLink attribute to enable stealthy, password-less authentication in Active Directory.
- Control over a user or computer object allows injection of a public key for Kerberos authentication via PKINIT.
- Common tools like pyWhisker, Rubeus, and Mimikatz may face limitations or failures when working with Shadow Credentials, especially in stricter environments.
- Metasploit provides a reliable method to inject Shadow Credentials, generate certificates, and retrieve valid TGTs and hashes.
- Injected Shadow Credentials are highly dangerous due to their stealth, native support, and potential for persistent access.
- Post-exploitation techniques include Pass-the-Hash, Kerberos ticket injection, and DCSync to escalate privileges or move laterally.
- Adaptability and using mature frameworks like Metasploit are crucial when standard tools encounter obstacles in real-world scenarios.