Warning

The idea is fun, but does not work for now. It will maybe work one day when a new technique to allow a user to write its ownmsDS-KeyCredentialLink attribute is found.

Features

Workflow

[+]======================================================[+]    AccountShadowTakeover v1.0        @podalirius_    [+]======================================================[>] Waiting for new user creations ...[+] User 'CN=takeuser20,CN=Users,DC=LAB,DC=local' was added.   [>] Trying to add shadow credentials to 'takeuser20'     | Trying to authenticate with user 'LAB.local\takeuser20' and password 'Corp2021!'     | Authentication successful!     | Generating certificate     | Certificate generated     | Generating KeyCredential     | KeyCredential generated with DeviceID: cdb617df-94cc-2319-cc4e-999001fbd978     | Updating the msDS-KeyCredentialLink attribute of takeuser20{'result': 50, 'description': 'insufficientAccessRights', 'dn': '', 'message': '00002098: SecErr: DSID-03150F94, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0\n\x00', 'referrals': None, 'type': 'modifyResponse'}