pywhisker: Python tool for Shadow Credentials attacks

PyWhisker

pyWhisker is a Python equivalent of the original Whisker made by Elad Shamir and written in C#. This tool allows users to manipulate the msDS-KeyCredentialLink attribute of a target user/computer to obtain full control over that object. It’s based on Impacket and on our Python equivalent of Michael Grafnetter’s DSInternals called PyDSInternals. This tool, along with Dirk-jan’s PKINITtools allows for complete primitive exploitation on UNIX-based systems only.

Pre-requisites for this attack are as follows

  1. the target Domain Functional Level must be Windows Server 2016 or above.
  2. the target domain must have at least one Domain Controller running Windows Server 2016 or above.
  3. the Domain Controller to use during the attack must have its own certificate and keys (this means either the organization must have AD CS, a PKI, a CA, or something like that).
  4. the attacker must have control over an account able to write the msDs-KeyCredentialLink attribute of the target user or computer account.

Why some pre-reqs?

  • Pre-reqs 1 and 2 because the PKINIT features were introduced with Windows Server 2016.
  • Pre-req 3 because the DC needs its own certificate and keys for the session key exchange during the AS_REQ <-> AS_REP transaction.

A KRB-ERROR (16) : KDC_ERR_PADATA_TYPE_NOSUPP will be raised if pre-req 3 is not met.

pyWhisker can be used to operate various actions on the msDs-KeyCredentialLink attribute of a target

  • list: list all current KeyCredentials ID and creation time
  • info: print all info contained in a KeyCredential structure
  • add: add a new KeyCredential to the msDs-KeyCredentialLink
  • remove: remove a KeyCredential from the msDs-KeyCredentialLink
  • clear: remove all KeyCredentials from the msDs-KeyCredentialLink
  • export: export all KeyCredentials from the msDs-KeyCredentialLink in JSON
  • import: overwrite the msDs-KeyCredentialLink with KeyCredentials from a JSON file

pyWhisker supports the following authentications

  • (NTLM) Cleartext password
  • (NTLM) Pass-the-hash
  • (Kerberos) Cleartext password
  • (Kerberos) Pass-the-key / Overpass-the-hash
  • (Kerberos) Pass-the-cache (type of Pass-the-ticket)

Download

git clone https://github.com/ShutdownRepo/pywhisker.git

Use

Copyright (C) 2022 ShutdownRepo

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce