https://github.com/p0dalirius/accountshadowtakeover
A python script to automatically add a KeyCredentialLink to newly created users, by quickly connecting to them with default credentials.
https://github.com/p0dalirius/accountshadowtakeover
account credentials shadow takeover user
Last synced: 15 days ago
JSON representation
A python script to automatically add a KeyCredentialLink to newly created users, by quickly connecting to them with default credentials.
- Host: GitHub
- URL: https://github.com/p0dalirius/accountshadowtakeover
- Owner: p0dalirius
- Created: 2021-10-18T17:11:25.000Z (about 4 years ago)
- Default Branch: main
- Last Pushed: 2024-03-17T07:40:25.000Z (over 1 year ago)
- Last Synced: 2025-06-27T07:46:52.372Z (4 months ago)
- Topics: account, credentials, shadow, takeover, user
- Language: Python
- Homepage: https://podalirius.net/
- Size: 29.3 KB
- Stars: 22
- Watchers: 2
- Forks: 2
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
Awesome Lists containing this project
README
A python script to automatically add a KeyCredentialLink to newly created users, by quickly connecting to them with default credentials.
> [!WARNING]
> The idea is fun, but does not work for now. It will maybe work one day when a new technique to allow a user to write its own `msDS-KeyCredentialLink` attribute is found.
## Features
- [x] Automatically add a `msDS-KeyCredentialLink` to newly created users using default password.
## Workflow
Requirements :
- Knowledge of the default password attrributed to new users in the domain.
- PKINIT ?
1. Wait for a new User account to be created
2. Connect with the default password
3. Add `msDS-KeyCredentialLink` field to the account
4. Goto 1
```
[+]======================================================
[+] AccountShadowTakeover v1.0 @podalirius_
[+]======================================================
[>] Waiting for new user creations ...
[+] User 'CN=takeuser20,CN=Users,DC=LAB,DC=local' was added.
[>] Trying to add shadow credentials to 'takeuser20'
| Trying to authenticate with user 'LAB.local\takeuser20' and password 'Corp2021!'
| Authentication successful!
| Generating certificate
| Certificate generated
| Generating KeyCredential
| KeyCredential generated with DeviceID: cdb617df-94cc-2319-cc4e-999001fbd978
| Updating the msDS-KeyCredentialLink attribute of takeuser20
{'result': 50, 'description': 'insufficientAccessRights', 'dn': '', 'message': '00002098: SecErr: DSID-03150F94, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0\n\x00', 'referrals': None, 'type': 'modifyResponse'}
```