Shadow Credentials in Active Directory: When the Exploit Doesn’t Work — Until It Does
1 min read
Summary
An article discussing the use of ‘Shadow Credentials’ in Active Directory (AD), a technique that provides stealthy persistent access using the msDS-KeyCredentialLink attribute introduced in Windows Server 2016, has outlined how to do this using Metasploit in cases where other tools fail.
The author, who had difficulties injecting a public key that allows authentication as a specific AD object via PKINIT, succeeded by using Metasploit’s auxiliary/admin/ldap/shadow_credentials module to add a shadow credential to an object, and then extracted the Ticket Granting Ticket (TGT) and the NTLM hash using the auxiliary/admin/kerberos/get_ticket module, thus bypassing the issues they were experiencing with other tools.
They noted that stealthy nature of shadow credentials, which don’t touch passwords, don’t alert users, and leverage native Windows PKINIT support, makes them a powerful attack vector, but warned that this path may not always work due to environmental quirks, so it’s necessary to have a backup plan and tools like Metasploit.