The new release of Metasploit Framework includes a Shadow Credentials module added by smashery used for reliably taking over an Active Directory user account or computer, and letting future authentication to happen as that account. This can be chained with other modules present in Metasploit Framework such as windows_secrets_dump
.
The module targets a โvictimโ account that is part of a domain where the Domain Controller is running Windows Server 2016 and newer.
Using an account that has write permissions over another (or its own) user account object, the module adds a public key credential object to the user accountโs msDS-KeyCredentialLink property. After this, a Ticket Granting Ticket can be requested using the get_ticket
module, which subsequently can be used for a pass-the-ticket style attack such as auxiliary/gather/windows_secrets_dump
. This can be performed when a user contains the GenericWrite
permission over another account. By default, Computer accounts have the ability to write their own value (whereas user accounts do not).
The shadow credentials added persist between password changes, making it a very useful technique for getting the TGT.
The steps for this technique (performed automatically by the module) are:
Generate and store a key and certificate locally
Store the certificateโs public key as a KeyCredential
On the domain controller, update the msDS-KeyCredentialLink property to include the newly generated KeyCredential object
After the above steps, you can:
Obtain a TGT & NTLM hash
Perform further attacks using the above values
Authors: Elad Shamir and smashery
Type: Auxiliary
Pull request: #19051 contributed by smashery
Path: admin/ldap/shadow_credentials
Description: A new module to add to, list, flush and delete from the LDAP msDS-KeyCredentialLink
attribute which enables the user to execute "shadow credential" attacks for persistence and lateral movement.
Authors: Ali Maharramli, Fikrat Guliev, Islam Rzayev, and h00die-gr3y [email protected]
Type: Exploit
Pull request: #19044 contributed by h00die-gr3y
Path: multi/http/gibbon_auth_rce_cve_2024_24725
AttackerKB reference: CVE-2024-24725
Description: An exploit module that exploits Gibbon online school platform version 26.0.00 and lower to achieve remote code execution. Note that authentication is required. This leverages a PHP deserialization attack via columnOrder in a POST request (CVE-2024-24725).
Author: h00die
Type: Post
Pull request: #18962 contributed by h00die
Path: linux/gather/rancher_audit_log_leak
AttackerKB reference: CVE-2023-22649
Description: A post module to leverage CVE-2023-22649 which is a sensitive information leak in the rancher serviceโs audit logs.
auxiliary/scanner/snmp/snmp_login
module to work over the TCP protocol in addition to UDP.user_file
/pass_file
module option combinations. This was caused when a session was successfully opened but then the next login attempt would close the socket being used by the newly created session.You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro
Download Gartnerยฎ Top Trends in Cybersecurity for 2024 โถ๏ธ