pywhisker: Python tool for Shadow Credentials attacks

by do son · Published July 7, 2022 · Updated September 28, 2024

PyWhisker

pyWhisker is a Python equivalent of the original Whisker made by Elad Shamir and written in C#. This tool allows users to manipulate the msDS-KeyCredentialLink attribute of a target user/computer to obtain full control over that object. It’s based on Impacket and on our Python equivalent of Michael Grafnetter’s DSInternals called PyDSInternals. This tool, along with Dirk-jan’s PKINITtools allows for complete primitive exploitation on UNIX-based systems only.

Pre-requisites for this attack are as follows

the target Domain Functional Level must be Windows Server 2016 or above.
the target domain must have at least one Domain Controller running Windows Server 2016 or above.
the Domain Controller to use during the attack must have its own certificate and keys (this means either the organization must have AD CS, a PKI, a CA, or something like that).
the attacker must have control over an account able to write the msDs-KeyCredentialLink attribute of the target user or computer account.

Why some pre-reqs?

Pre-reqs 1 and 2 because the PKINIT features were introduced with Windows Server 2016.
Pre-req 3 because the DC needs its own certificate and keys for the session key exchange during the AS_REQ <-> AS_REP transaction.

A KRB-ERROR (16) : KDC_ERR_PADATA_TYPE_NOSUPP will be raised if pre-req 3 is not met.

pyWhisker can be used to operate various actions on the msDs-KeyCredentialLink attribute of a target

list: list all current KeyCredentials ID and creation time
info: print all info contained in a KeyCredential structure
add: add a new KeyCredential to the msDs-KeyCredentialLink
remove: remove a KeyCredential from the msDs-KeyCredentialLink
clear: remove all KeyCredentials from the msDs-KeyCredentialLink
export: export all KeyCredentials from the msDs-KeyCredentialLink in JSON
import: overwrite the msDs-KeyCredentialLink with KeyCredentials from a JSON file