Tl;dr

It is possible to add “Key Credentials” (also referred as Shadow Credentials) to the attribute msDS-KeyCredentialLink of the target user/computer object and then perform Kerberos authentication as that account using PKINIT.

What are?

msDS-KeyCredentialLink

An Active Directory attribute that stores and links raw cryptographic data for password-less authentication to a user or computer object.

Shadow Credentials

These are credentials that attackers inject into Active Directory (AD) accounts to gain or maintain access to the modified account. They are often associated with adding rogue certificates or keys to a target user’s or computer’s msDS-KeyCredentialLink attribute. This allows them to authenticate as that user even if the password is reset.

Pre-Authentication

The conditions that must be met before a user is allowed to authenticate.

PKINIT (Public Key Cryptography for initial authentication)

In Kerberos authentication, clients must perform “pre-authentication” before the KDC (the Domain Controller in an Active Directory environment) provides them with a Ticket Granting Ticket (TGT), which can subsequently be used to obtain Service Tickets. The reason for pre-authentication is that without it, anyone could obtain a blob encrypted with a key derived from the client’s password and try to crack it offline, as done in the AS-REP Roasting Attack. The client performs pre-authentication by encrypting a timestamp with their credentials to prove to the KDC that they have the credentials for the account. Using a timestamp rather than a static value helps prevent replay attacks.

The symmetric key (secret key) approach, which is the one most widely used and known, uses a symmetric key derived from the client’s password, AKA secret key. If using RC4 encryption, this key would be the NT hash of the client’s password. The KDC has a copy of the client’s secret key and can decrypt the pre-authentication data to authenticate the client. The KDC uses the same key to encrypt a session key sent to the client along with the TGT.

image.png

PKINIT is the less common, asymmetric key (public key) approach. The client has a public-private key pair, and encrypts the pre-authentication data with their private key, and the KDC decrypts it with the client’s public key. The KDC also has a public-private key pair, allowing for the exchange of a session key using one of two methods:

  1. Diffie-Hellman Key Delivery: allows the KDC and the client to securely establish a shared session key that cannot be intercepted by attackers performing passive man-in-the-middle attacks, even if the attacker has the client’s or the KDC’s private key, (almost) providing Perfect Forward Secrecy. I say _almost _because the session key is also stored inside the encrypted part of the TGT, which is encrypted with the secret key of the KRBTGT account.
  2. Public Key Encryption Key Delivery: uses the KDC’s private key and the client’s public key to envelop a session key generated by the KDC.

Traditionally, Public Key Infrastructure (PKI) allows the KDC and the client to exchange their public keys using Digital Certificates signed by an entity that both parties have previously established trust with — the Certificate Authority (CA). This is the Certificate Trust model, which is most commonly used for smartcard authentication.

<aside> ⚠️

If the environment has AD CS and a CA available, the Domain Controller will automatically obtain a certificate by default.

</aside>

If we don’t have any PKI inside our Active Directory environment… No problem! Key Trust!