Added Shadow Credentials Module

[SoftAndoWetto]

Description

Adds a new LDAP module shadow-creds that automates the Shadow Credentials attack against Active Directory targets.

The module writes a key credential to the target account's msDS-KeyCredentialLink attribute via LDAP, then exports a PFX certificate for use with certipy-ad to perform PKINIT authentication and retrieve an NT hash.

Key features:

• Auto-generates a random 24-character PFX password if one is not supplied
• Hybrid PFX path resolution (exact path + glob fallback) to handle pywhisker suffix behaviour
• Thin logger adapter routing pywhisker output through nxc's logger, with access-denied and user-not-found signals surfaced cleanly
• Patches impacket's LDAPConnection.__init__ to drop the unsupported signing kwarg present in newer builds

Dependencies:

• pywhisker (pip: pywhisker)
• impacket

AI assistance: Initial module structure and logger adapter were drafted with assistance from Claude (Anthropic). All logic was reviewed, tested, and modified manually..

---

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Deprecation of feature or functionality
• This change requires a documentation update
• This requires a third party update (such as Impacket, Dploot, lsassy, etc) — requires pywhisker
• This PR was created with the assistance of AI — Claude (Anthropic), used for initial scaffolding and comment style. Logic reviewed and tested manually.

---

Setup guide for the review

Local environment:

• OS: Kali Linux (rolling)
• Python: 3.11
• NetExec installed via pipx / dev clone

Target:

• Windows Server 2019 (Build 17763)
• Domain: enclave.local
• DC IP: tested against a local lab DC

Dependencies to install:

pip install pywhisker

To test the full module:

nxc ldap <dc_ip> -u <user> -p <pass> -M shadow-creds -o TARGET=<samaccountname>

# Authenticate with the resulting PFX
certipy-ad auth -pfx /tmp/nxc_shadow/<target>.pfx -password <auto-generated>

Note: The attacking account requires GenericWrite or GenericAll over the target, or explicit write access to msDS-KeyCredentialLink. The DC must support PKINIT (i.e. have a CA or support Windows Hello for Business key trust).

---

Screenshots

Success:

Output:

Fail:

Invalid Permissions:

Invalid Name:

---

Checklist

• I have ran Ruff against my changes (poetry run ruff check .)
• I have added or updated the tests/e2e_commands.txt file if necessary
• If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects - pywhisker: https://github.com/ShutdownRepo/pywhisker
• I have linked relevant sources that describe the added technique:
  • https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab
  • https://github.com/ShutdownRepo/pywhisker
  • https://github.com/ly4k/Certipy
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

[SoftAndoWetto]

I also have a module for performing Unpac-The-Hash off of this that I am looking at add after this and am looking to create an additional third module replicating the ShadowSpray tool (Link: https://github.com/Dec0ne/ShadowSpray/) but am unsure if this is something you would want in NetExec

[NeffIsBack]

Thanks for the PR, but unfortunately this is duplicate to #936

[NeffIsBack]

I also have a module for performing Unpac-The-Hash off of this that I am looking at add after this and am looking to create an additional third module replicating the ShadowSpray tool (Link: https://github.com/Dec0ne/ShadowSpray/) but am unsure if this is something you would want in NetExec

Definitely looks interesting, although I would need to take a closer look at that to be able to properly say something about it. At the end, isn't at least ShadowSpray covered when we have a ShadowCredentials module?

[SoftAndoWetto]

I also have a module for performing Unpac-The-Hash off of this that I am looking at add after this and am looking to create an additional third module replicating the ShadowSpray tool (Link: https://github.com/Dec0ne/ShadowSpray/) but am unsure if this is something you would want in NetExec

Definitely looks interesting, although I would need to take a closer look at that to be able to properly say something about it. At the end, isn't at least ShadowSpray covered when we have a ShadowCredentials module?

ShadowSpray works by taking 1 input account and recursively adding shadow credentials to all possible accounts and authenticating with those discovered accounts and continuing the spray
"
Login to the domain with the supplied credentials (Or use the current session).
Check that the domain functional level is 2016 (Otherwise stop since the Shadow Credentials attack won't work)
Gather a list of all the objects in the domain (users and computers) from LDAP.
For every object in the list do the following:
Try to add KeyCredential to the object's "msDS-KeyCredentialLink" attribute.
If the above is successful, use PKINIT to request a TGT using the added KeyCredential.
If the above is successful, perform an UnPACTheHash attack to reveal the user/computer NT hash.
If --RestoreShadowCred was specified: Remove the added KeyCredential (clean up after yourself...)
If --Recursive was specified: Do the same process using each of the user/computer accounts we successfully owned.
"

[SoftAndoWetto]

Thanks for the PR, but unfortunately this is duplicate to #936

Apologies I didn't see this module in the latest version and didn't know it had been made. Also if needed aspects of my code can be added to the module that will come in the update as well that's completely fine

[NeffIsBack]

Thanks for the PR, but unfortunately this is duplicate to #936

Apologies I didn't see this module in the latest version and didn't know it had been made. Also if needed aspects of my code can be added to the module that will come in the update as well that's completely fine

No worries :) I think we just add the module and then we can see if we can do any useful additions from your code (e.g. supplying a list of users that we can add the keys).

Regarding Unpac-the-hash, there is already pfx auth that pretty much does this, so I don't think there is much added value if we add a second module.