Skip to content

Add Shadow credentials module !#936

Open
qu35t-code wants to merge 8 commits intoPennyw0rth:mainfrom
qu35t-code:shadow_creds
Open

Add Shadow credentials module !#936
qu35t-code wants to merge 8 commits intoPennyw0rth:mainfrom
qu35t-code:shadow_creds

Conversation

@qu35t-code
Copy link
Copy Markdown

@qu35t-code qu35t-code commented Sep 26, 2025

Description

This PR introduces the shadow-creds module, which leverages modification of the LDAP attribute msDS-CredentialLink on a target user in order to retrieve its authentication PFX certificate.
The module is based on pywhisker by ShutdownRepo (Aka Charlie le king) and comes with options for customizing the PFX password and output directory.

Options

6

Common errors (examples)

  • TARGET is required
2
  • No permissions to modify msDS-KeyCredentialLink on the target (INSUFF_ACCESS_RIGHTS)
1
  • Invalid account in LDAP
5

Valid examples

  • With valid permissions
3
  • Authentication with exported PFX works
4
  • NT_HASH authentication supported
10
  • Custom PFX password
7 8
  • Custom Outdir
9

Type of change

Insert an "x" inside the brackets for relevant items (do not delete options)

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Deprecation of feature or functionality
  • This change requires a documentation update
  • This requires a new third party (pywhisker)

Setup guide for the review

  • MacOS
  • Linux

Checklist:

Insert an "x" inside the brackets for completed and relevant items (do not delete options)

  • I have ran Ruff against my changes (via poetry: poetry run python -m ruff check . --preview, use --fix to automatically fix what it can)
  • I have added or updated the tests/e2e_commands.txt file if necessary (new modules or features are required to be added to the e2e tests)
  • New and existing e2e tests pass locally with my changes
  • If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation (WIP...)

@NeffIsBack
Copy link
Copy Markdown
Member

NeffIsBack commented Sep 28, 2025

Thanks for the PR! Looks cool.

@qu35t-code
Copy link
Copy Markdown
Author

qu35t-code commented Dec 2, 2025

Hello, any updates ?

@NeffIsBack
Copy link
Copy Markdown
Member

NeffIsBack commented Dec 31, 2025

Hi, i think the best is we wait for fortra/impacket#2097 to be merged and implement the cryptography in the module itself and then use impackets ldap for modification of the attribute

@NeffIsBack NeffIsBack mentioned this pull request Jan 20, 2026
Merged
@azoxlpf
Copy link
Copy Markdown
Contributor

azoxlpf commented Feb 5, 2026

Hi @qu35t-code, the PR mentioned just above has just been merged so we can now use it in the module without having to import new libraries

@NeffIsBack
Copy link
Copy Markdown
Member

NeffIsBack commented Mar 17, 2026

@qu35t-code any updates on this?

@NeffIsBack NeffIsBack added this to the v1.6.0 milestone Mar 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zblurx zblurx Awaiting requested review from zblurx zblurx is a code owner

@Marshall-Hallenbeck Marshall-Hallenbeck Awaiting requested review from Marshall-Hallenbeck Marshall-Hallenbeck is a code owner

@NeffIsBack NeffIsBack Awaiting requested review from NeffIsBack NeffIsBack is a code owner

@mpgn mpgn Awaiting requested review from mpgn mpgn is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

new module waiting for response

Projects

None yet

Milestone

v1.6.0

Development

Successfully merging this pull request may close these issues.

3 participants

@qu35t-code @NeffIsBack @azoxlpf