New Active Directory Pentesting Tool For KeyCredentialLink Management

   February 21, 2025  Posted in CyberSecurityNews


RedTeamPentesting has unveiled a new tool, keycred, which offers a robust solution for managing KeyCredentialLinks in Active Directory (AD) environments.

This command-line interface (CLI) tool and library implements the KeyCredentialLink structures as defined in section 2.2.20 of the Microsoft Active Directory Technical Specification (MS-ADTS).

It also allows for practical deviations from the specification, making it a valuable resource for penetration testers and system administrators.

Key Features of keycred

The keycred tool is designed to manipulate the msDS-KeyCredentialLink LDAP attribute, enabling users to register, list, and manage KeyCredentialLinks efficiently. Its standout features include:

  • Authentication Mechanisms: Supports Kerberos (via password, NT hash, AES key, CCache, and PKINIT), mTLS, NTLM (password or NT hash), and SimpleBind authentication methods.
  • UnPAC-the-Hash: Enables retrieval of a user’s NT hash through PKINIT Kerberos authentication.
  • Cross-Platform Compatibility: Available as a single binary compatible across multiple operating systems.
  • Certificate Integration: Allows certificates with otherName SAN extensions to be used without specifying usernames or domains.
  • Backup and Restore Capabilities: Facilitates backup and restoration of KeyCredentialLinks, particularly useful when modifying computer account attributes.
  • Strict Compliance: Generates KeyCredentialLinks compliant with validated write rules for secure modifications to msDS-KeyCredentialLink attributes.

The CLI offers a range of commands for KeyCredentialLink management:

  • Add: Creates certificates/keys and registers them in LDAP.
  • List: Displays KeyCredentialLinks for specific users or all users.
  • Remove/Clear: Deletes individual or all KeyCredentialLinks for a user.
  • Backup/Restore: Safeguards existing KeyCredentialLinks and reinstates them when necessary.
  • Authentication Tools: Includes commands like auth to retrieve NT hashes via PKINIT and burn to clear KeyCredentialLinks after obtaining credentials.

Additionally, the project includes pfxtool, a utility for handling PFX files. Users can seamlessly create, split, encrypt, decrypt, and inspect PFX files.

By leveraging its ability to manipulate the msDS-KeyCredentialLink attribute, penetration testers can simulate advanced attack scenarios such as Shadow Credentials. This technique involves appending alternate credentials (certificates) to a target account’s attributes, potentially enabling account takeover if misconfigurations exist.

For instance, attackers can use tools like keycred or similar utilities (e.g., pyWhisker) to add malicious KeyCredentials to vulnerable accounts. Once added, these credentials can be exploited for privilege escalation or lateral movement within the domain.

While tools like pyWhisker have been available for manipulation msDS-KeyCredentialLink, keycred distinguishes itself with its comprehensive feature set and strict adherence to compliance standards. It also simplifies cross-platform usage by providing a single binary executable.

Moreover, its integration with PFX file management tools enhances its usability in scenarios requiring certificate-based authentication. The ability to handle certificates directly within the tool eliminates dependency on external utilities like OpenSSL or certutil35.

  1. Penetration Testing: Simulating advanced attacks on AD environments to identify vulnerabilities.
  2. Incident Response: Investigating unauthorized modifications to msDS-KeyCredentialLink attributes.
  3. System Administration: Managing legitimate KeyCredentials securely while ensuring compliance with AD standards.

The release of keycred is a game-changer for Active Directory pentesting and administration. Its robust capabilities not only empower red teams but also serve as a valuable resource for blue teams seeking to understand and mitigate potential threats.

As organizations continue to rely on AD for identity management, tools like keycred will play a pivotal role in enhancing both offensive and defensive security strategies.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here



Source link