<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Shadow-Credentials on Ethical Hacking | Pentest e Sicurezza Informatica | Hackita</title><link>https://hackita.it/tags/shadow-credentials/</link><description>Recent content in Shadow-Credentials on Ethical Hacking | Pentest e Sicurezza Informatica | Hackita</description><generator>Hugo</generator><language>it</language><lastBuildDate>Sun, 12 Jul 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://hackita.it/tags/shadow-credentials/index.xml" rel="self" type="application/rss+xml"/><item><title>Shadow Credentials AD: PrivEsc msDS-KeyCredentialLink</title><link>https://hackita.it/articoli/shadow-credentials/</link><pubDate>Sun, 12 Jul 2026 00:00:00 +0000</pubDate><guid>https://hackita.it/articoli/shadow-credentials/</guid><description>&lt;h1
 id="shadow-credentials-account-takeover-senza-toccare-la-password" class="group/anchor-heading"&gt;
 Shadow Credentials: Account Takeover Senza Toccare la Password
 &lt;a href="#shadow-credentials-account-takeover-senza-toccare-la-password" class="text-inherit opacity-0 group-hover/anchor-heading:opacity-100 decoration-transparent"&gt;#&lt;/a&gt;
&lt;/h1&gt;&lt;p&gt;Hai &lt;code&gt;GenericWrite&lt;/code&gt; o &lt;code&gt;GenericAll&lt;/code&gt; su un account AD (utente o computer). Con Shadow Credentials aggiungi una tua chiave pubblica al suo attributo &lt;code&gt;msDS-KeyCredentialLink&lt;/code&gt;, ti autentichi via PKINIT e ottieni TGT + NT hash dell&amp;rsquo;account — senza toccare la password, senza SPN. Tecnica MITRE ATT&amp;amp;CK &lt;a href="https://attack.mitre.org/techniques/T1556/006/"&gt;T1556.006&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;&lt;a
 href="data:image/svg&amp;#43;xml;base64,PHN2ZyB2aWV3Qm94PSIwIDAgOTAwIDI2MCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KPHJlY3Qgd2lkdGg9IjkwMCIgaGVpZ2h0PSIyNjAiIGZpbGw9IiNmZmZmZmYiLz4KPHN0eWxlPgouYm94e2ZpbGw6IzExMTExMTtzdHJva2U6IzExMTExMTt9Ci5ib3hyZWR7ZmlsbDojZGMyNjI2O3N0cm9rZTojZGMyNjI2O30KLnR7Zm9udC1mYW1pbHk6bW9ub3NwYWNlO2ZvbnQtc2l6ZToxNHB4O2ZpbGw6I2ZmZmZmZjt0ZXh0LWFuY2hvcjptaWRkbGU7fQoubGJse2ZvbnQtZmFtaWx5Om1vbm9zcGFjZTtmb250LXNpemU6MTJweDtmaWxsOiMxMTExMTE7dGV4dC1hbmNob3I6bWlkZGxlO30KLmFycm93e3N0cm9rZTojMTExMTExO3N0cm9rZS13aWR0aDoyO21hcmtlci1lbmQ6dXJsKCNhcnJvdyk7fQo8L3N0eWxlPgo8ZGVmcz4KPG1hcmtlciBpZD0iYXJyb3ciIG1hcmtlcldpZHRoPSIxMCIgbWFya2VySGVpZ2h0PSIxMCIgcmVmWD0iOCIgcmVmWT0iMyIgb3JpZW50PSJhdXRvIiBtYXJrZXJVbml0cz0ic3Ryb2tlV2lkdGgiPgo8cGF0aCBkPSJNMCwwIEwwLDYgTDksMyB6IiBmaWxsPSIjMTExMTExIi8&amp;#43;CjwvbWFya2VyPgo8L2RlZnM&amp;#43;Cgo8cmVjdCB4PSIyMCIgeT0iNDAiIHdpZHRoPSIxNjAiIGhlaWdodD0iNTAiIHJ4PSI0IiBjbGFzcz0iYm94Ii8&amp;#43;Cjx0ZXh0IHg9IjEwMCIgeT0iNzAiIGNsYXNzPSJ0Ij5HZW5lcmljV3JpdGU8L3RleHQ&amp;#43;Cgo8cmVjdCB4PSIyMjAiIHk9IjQwIiB3aWR0aD0iMjAwIiBoZWlnaHQ9IjUwIiByeD0iNCIgY2xhc3M9ImJveHJlZCIvPgo8dGV4dCB4PSIzMjAiIHk9IjYwIiBjbGFzcz0idCI&amp;#43;QWRkIGtleSBjcmVkZW50aWFsPC90ZXh0Pgo8dGV4dCB4PSIzMjAiIHk9Ijc4IiBjbGFzcz0idCI&amp;#43;bXNEUy1LZXlDcmVkZW50aWFsTGluazwvdGV4dD4KCjxyZWN0IHg9IjQ2MCIgeT0iNDAiIHdpZHRoPSIxODAiIGhlaWdodD0iNTAiIHJ4PSI0IiBjbGFzcz0iYm94Ii8&amp;#43;Cjx0ZXh0IHg9IjU1MCIgeT0iNjAiIGNsYXNzPSJ0Ij5QS0lOSVQgYXV0aDwvdGV4dD4KPHRleHQgeD0iNTUwIiB5PSI3OCIgY2xhc3M9InQiPlRHVCArIE5UIGhhc2g8L3RleHQ&amp;#43;Cgo8cmVjdCB4PSI2ODAiIHk9IjQwIiB3aWR0aD0iMTgwIiBoZWlnaHQ9IjUwIiByeD0iNCIgY2xhc3M9ImJveHJlZCIvPgo8dGV4dCB4PSI3NzAiIHk9IjYwIiBjbGFzcz0idCI&amp;#43;UGFzcy10aGUtSGFzaDwvdGV4dD4KPHRleHQgeD0iNzcwIiB5PSI3OCIgY2xhc3M9InQiPi8gRENTeW5jPC90ZXh0PgoKPGxpbmUgeDE9IjE4MCIgeTE9IjY1IiB4Mj0iMjE1IiB5Mj0iNjUiIGNsYXNzPSJhcnJvdyIvPgo8bGluZSB4MT0iNDIwIiB5MT0iNjUiIHgyPSI0NTUiIHkyPSI2NSIgY2xhc3M9ImFycm93Ii8&amp;#43;CjxsaW5lIHgxPSI2NDAiIHkxPSI2NSIgeDI9IjY3NSIgeTI9IjY1IiBjbGFzcz0iYXJyb3ciLz4KCjx0ZXh0IHg9IjQ1MCIgeT0iMTQwIiBjbGFzcz0ibGJsIj5OZXNzdW5hIG1vZGlmaWNhIHBhc3N3b3JkIMK3IG5lc3N1biBTUE4gcmVnaXN0cmF0byDCtyBhdHRyaWJ1dG8gcmlwcmlzdGluYWJpbGU8L3RleHQ&amp;#43;Cgo8cmVjdCB4PSIyMCIgeT0iMTcwIiB3aWR0aD0iODYwIiBoZWlnaHQ9IjYwIiByeD0iNCIgZmlsbD0ibm9uZSIgc3Ryb2tlPSIjZGMyNjI2IiBzdHJva2Utd2lkdGg9IjIiLz4KPHRleHQgeD0iNDUwIiB5PSIxOTUiIGNsYXNzPSJsYmwiIGZpbGw9IiNkYzI2MjYiPkRldGVjdGlvbjogRXZlbnQgSUQgNTEzNiAoRGlyZWN0b3J5IFNlcnZpY2UgQ2hhbmdlcyk8L3RleHQ&amp;#43;Cjx0ZXh0IHg9IjQ1MCIgeT0iMjE1IiBjbGFzcz0ibGJsIj5yaWNoaWVkZSBhdWRpdGluZyBlc3BsaWNpdG8sIHNwZXNzbyBub24gYXR0aXZvIG5lZ2xpIGFtYmllbnRpIGVudGVycHJpc2U8L3RleHQ&amp;#43;Cjwvc3ZnPgo="
 class="glightbox"
 data-gallery="content"
 data-title="Shadow Credentials attack flow: GenericWrite su msDS-KeyCredentialLink, aggiunta chiave, PKINIT auth, estrazione NT hash, Pass-the-Hash o DCSync"
 data-description="&lt;a href='data:image/svg&amp;#43;xml;base64,PHN2ZyB2aWV3Qm94PSIwIDAgOTAwIDI2MCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KPHJlY3Qgd2lkdGg9IjkwMCIgaGVpZ2h0PSIyNjAiIGZpbGw9IiNmZmZmZmYiLz4KPHN0eWxlPgouYm94e2ZpbGw6IzExMTExMTtzdHJva2U6IzExMTExMTt9Ci5ib3hyZWR7ZmlsbDojZGMyNjI2O3N0cm9rZTojZGMyNjI2O30KLnR7Zm9udC1mYW1pbHk6bW9ub3NwYWNlO2ZvbnQtc2l6ZToxNHB4O2ZpbGw6I2ZmZmZmZjt0ZXh0LWFuY2hvcjptaWRkbGU7fQoubGJse2ZvbnQtZmFtaWx5Om1vbm9zcGFjZTtmb250LXNpemU6MTJweDtmaWxsOiMxMTExMTE7dGV4dC1hbmNob3I6bWlkZGxlO30KLmFycm93e3N0cm9rZTojMTExMTExO3N0cm9rZS13aWR0aDoyO21hcmtlci1lbmQ6dXJsKCNhcnJvdyk7fQo8L3N0eWxlPgo8ZGVmcz4KPG1hcmtlciBpZD0iYXJyb3ciIG1hcmtlcldpZHRoPSIxMCIgbWFya2VySGVpZ2h0PSIxMCIgcmVmWD0iOCIgcmVmWT0iMyIgb3JpZW50PSJhdXRvIiBtYXJrZXJVbml0cz0ic3Ryb2tlV2lkdGgiPgo8cGF0aCBkPSJNMCwwIEwwLDYgTDksMyB6IiBmaWxsPSIjMTExMTExIi8&amp;#43;CjwvbWFya2VyPgo8L2RlZnM&amp;#43;Cgo8cmVjdCB4PSIyMCIgeT0iNDAiIHdpZHRoPSIxNjAiIGhlaWdodD0iNTAiIHJ4PSI0IiBjbGFzcz0iYm94Ii8&amp;#43;Cjx0ZXh0IHg9IjEwMCIgeT0iNzAiIGNsYXNzPSJ0Ij5HZW5lcmljV3JpdGU8L3RleHQ&amp;#43;Cgo8cmVjdCB4PSIyMjAiIHk9IjQwIiB3aWR0aD0iMjAwIiBoZWlnaHQ9IjUwIiByeD0iNCIgY2xhc3M9ImJveHJlZCIvPgo8dGV4dCB4PSIzMjAiIHk9IjYwIiBjbGFzcz0idCI&amp;#43;QWRkIGtleSBjcmVkZW50aWFsPC90ZXh0Pgo8dGV4dCB4PSIzMjAiIHk9Ijc4IiBjbGFzcz0idCI&amp;#43;bXNEUy1LZXlDcmVkZW50aWFsTGluazwvdGV4dD4KCjxyZWN0IHg9IjQ2MCIgeT0iNDAiIHdpZHRoPSIxODAiIGhlaWdodD0iNTAiIHJ4PSI0IiBjbGFzcz0iYm94Ii8&amp;#43;Cjx0ZXh0IHg9IjU1MCIgeT0iNjAiIGNsYXNzPSJ0Ij5QS0lOSVQgYXV0aDwvdGV4dD4KPHRleHQgeD0iNTUwIiB5PSI3OCIgY2xhc3M9InQiPlRHVCArIE5UIGhhc2g8L3RleHQ&amp;#43;Cgo8cmVjdCB4PSI2ODAiIHk9IjQwIiB3aWR0aD0iMTgwIiBoZWlnaHQ9IjUwIiByeD0iNCIgY2xhc3M9ImJveHJlZCIvPgo8dGV4dCB4PSI3NzAiIHk9IjYwIiBjbGFzcz0idCI&amp;#43;UGFzcy10aGUtSGFzaDwvdGV4dD4KPHRleHQgeD0iNzcwIiB5PSI3OCIgY2xhc3M9InQiPi8gRENTeW5jPC90ZXh0PgoKPGxpbmUgeDE9IjE4MCIgeTE9IjY1IiB4Mj0iMjE1IiB5Mj0iNjUiIGNsYXNzPSJhcnJvdyIvPgo8bGluZSB4MT0iNDIwIiB5MT0iNjUiIHgyPSI0NTUiIHkyPSI2NSIgY2xhc3M9ImFycm93Ii8&amp;#43;CjxsaW5lIHgxPSI2NDAiIHkxPSI2NSIgeDI9IjY3NSIgeTI9IjY1IiBjbGFzcz0iYXJyb3ciLz4KCjx0ZXh0IHg9IjQ1MCIgeT0iMTQwIiBjbGFzcz0ibGJsIj5OZXNzdW5hIG1vZGlmaWNhIHBhc3N3b3JkIMK3IG5lc3N1biBTUE4gcmVnaXN0cmF0byDCtyBhdHRyaWJ1dG8gcmlwcmlzdGluYWJpbGU8L3RleHQ&amp;#43;Cgo8cmVjdCB4PSIyMCIgeT0iMTcwIiB3aWR0aD0iODYwIiBoZWlnaHQ9IjYwIiByeD0iNCIgZmlsbD0ibm9uZSIgc3Ryb2tlPSIjZGMyNjI2IiBzdHJva2Utd2lkdGg9IjIiLz4KPHRleHQgeD0iNDUwIiB5PSIxOTUiIGNsYXNzPSJsYmwiIGZpbGw9IiNkYzI2MjYiPkRldGVjdGlvbjogRXZlbnQgSUQgNTEzNiAoRGlyZWN0b3J5IFNlcnZpY2UgQ2hhbmdlcyk8L3RleHQ&amp;#43;Cjx0ZXh0IHg9IjQ1MCIgeT0iMjE1IiBjbGFzcz0ibGJsIj5yaWNoaWVkZSBhdWRpdGluZyBlc3BsaWNpdG8sIHNwZXNzbyBub24gYXR0aXZvIG5lZ2xpIGFtYmllbnRpIGVudGVycHJpc2U8L3RleHQ&amp;#43;Cjwvc3ZnPgo=' download class='underline underline-offset-4 hover:text-primary transition-colors'&gt;Download Image&lt;/a&gt;"
&gt;
 &lt;img
 src="data:image/svg&amp;#43;xml;base64,PHN2ZyB2aWV3Qm94PSIwIDAgOTAwIDI2MCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KPHJlY3Qgd2lkdGg9IjkwMCIgaGVpZ2h0PSIyNjAiIGZpbGw9IiNmZmZmZmYiLz4KPHN0eWxlPgouYm94e2ZpbGw6IzExMTExMTtzdHJva2U6IzExMTExMTt9Ci5ib3hyZWR7ZmlsbDojZGMyNjI2O3N0cm9rZTojZGMyNjI2O30KLnR7Zm9udC1mYW1pbHk6bW9ub3NwYWNlO2ZvbnQtc2l6ZToxNHB4O2ZpbGw6I2ZmZmZmZjt0ZXh0LWFuY2hvcjptaWRkbGU7fQoubGJse2ZvbnQtZmFtaWx5Om1vbm9zcGFjZTtmb250LXNpemU6MTJweDtmaWxsOiMxMTExMTE7dGV4dC1hbmNob3I6bWlkZGxlO30KLmFycm93e3N0cm9rZTojMTExMTExO3N0cm9rZS13aWR0aDoyO21hcmtlci1lbmQ6dXJsKCNhcnJvdyk7fQo8L3N0eWxlPgo8ZGVmcz4KPG1hcmtlciBpZD0iYXJyb3ciIG1hcmtlcldpZHRoPSIxMCIgbWFya2VySGVpZ2h0PSIxMCIgcmVmWD0iOCIgcmVmWT0iMyIgb3JpZW50PSJhdXRvIiBtYXJrZXJVbml0cz0ic3Ryb2tlV2lkdGgiPgo8cGF0aCBkPSJNMCwwIEwwLDYgTDksMyB6IiBmaWxsPSIjMTExMTExIi8&amp;#43;CjwvbWFya2VyPgo8L2RlZnM&amp;#43;Cgo8cmVjdCB4PSIyMCIgeT0iNDAiIHdpZHRoPSIxNjAiIGhlaWdodD0iNTAiIHJ4PSI0IiBjbGFzcz0iYm94Ii8&amp;#43;Cjx0ZXh0IHg9IjEwMCIgeT0iNzAiIGNsYXNzPSJ0Ij5HZW5lcmljV3JpdGU8L3RleHQ&amp;#43;Cgo8cmVjdCB4PSIyMjAiIHk9IjQwIiB3aWR0aD0iMjAwIiBoZWlnaHQ9IjUwIiByeD0iNCIgY2xhc3M9ImJveHJlZCIvPgo8dGV4dCB4PSIzMjAiIHk9IjYwIiBjbGFzcz0idCI&amp;#43;QWRkIGtleSBjcmVkZW50aWFsPC90ZXh0Pgo8dGV4dCB4PSIzMjAiIHk9Ijc4IiBjbGFzcz0idCI&amp;#43;bXNEUy1LZXlDcmVkZW50aWFsTGluazwvdGV4dD4KCjxyZWN0IHg9IjQ2MCIgeT0iNDAiIHdpZHRoPSIxODAiIGhlaWdodD0iNTAiIHJ4PSI0IiBjbGFzcz0iYm94Ii8&amp;#43;Cjx0ZXh0IHg9IjU1MCIgeT0iNjAiIGNsYXNzPSJ0Ij5QS0lOSVQgYXV0aDwvdGV4dD4KPHRleHQgeD0iNTUwIiB5PSI3OCIgY2xhc3M9InQiPlRHVCArIE5UIGhhc2g8L3RleHQ&amp;#43;Cgo8cmVjdCB4PSI2ODAiIHk9IjQwIiB3aWR0aD0iMTgwIiBoZWlnaHQ9IjUwIiByeD0iNCIgY2xhc3M9ImJveHJlZCIvPgo8dGV4dCB4PSI3NzAiIHk9IjYwIiBjbGFzcz0idCI&amp;#43;UGFzcy10aGUtSGFzaDwvdGV4dD4KPHRleHQgeD0iNzcwIiB5PSI3OCIgY2xhc3M9InQiPi8gRENTeW5jPC90ZXh0PgoKPGxpbmUgeDE9IjE4MCIgeTE9IjY1IiB4Mj0iMjE1IiB5Mj0iNjUiIGNsYXNzPSJhcnJvdyIvPgo8bGluZSB4MT0iNDIwIiB5MT0iNjUiIHgyPSI0NTUiIHkyPSI2NSIgY2xhc3M9ImFycm93Ii8&amp;#43;CjxsaW5lIHgxPSI2NDAiIHkxPSI2NSIgeDI9IjY3NSIgeTI9IjY1IiBjbGFzcz0iYXJyb3ciLz4KCjx0ZXh0IHg9IjQ1MCIgeT0iMTQwIiBjbGFzcz0ibGJsIj5OZXNzdW5hIG1vZGlmaWNhIHBhc3N3b3JkIMK3IG5lc3N1biBTUE4gcmVnaXN0cmF0byDCtyBhdHRyaWJ1dG8gcmlwcmlzdGluYWJpbGU8L3RleHQ&amp;#43;Cgo8cmVjdCB4PSIyMCIgeT0iMTcwIiB3aWR0aD0iODYwIiBoZWlnaHQ9IjYwIiByeD0iNCIgZmlsbD0ibm9uZSIgc3Ryb2tlPSIjZGMyNjI2IiBzdHJva2Utd2lkdGg9IjIiLz4KPHRleHQgeD0iNDUwIiB5PSIxOTUiIGNsYXNzPSJsYmwiIGZpbGw9IiNkYzI2MjYiPkRldGVjdGlvbjogRXZlbnQgSUQgNTEzNiAoRGlyZWN0b3J5IFNlcnZpY2UgQ2hhbmdlcyk8L3RleHQ&amp;#43;Cjx0ZXh0IHg9IjQ1MCIgeT0iMjE1IiBjbGFzcz0ibGJsIj5yaWNoaWVkZSBhdWRpdGluZyBlc3BsaWNpdG8sIHNwZXNzbyBub24gYXR0aXZvIG5lZ2xpIGFtYmllbnRpIGVudGVycHJpc2U8L3RleHQ&amp;#43;Cjwvc3ZnPgo="
 alt="Shadow Credentials attack flow: GenericWrite su msDS-KeyCredentialLink, aggiunta chiave, PKINIT auth, estrazione NT hash, Pass-the-Hash o DCSync"
 loading="lazy"
 decoding="async"
 
 /&gt;
&lt;/a&gt;
&lt;/p&gt;</description></item></channel></rss>