We Will Explain and Abuse Shadow Credentials

What is PIKINT?

In the kerberos authentication the client must perform pre-auth to make sure that his credential is not stolen and cracked offline.

With that being said the client encrypt the timestamp with their credential to prevent the ASREP Attack.

Now let’s see how the authentication works

1. Client —> pre-auth data encrypted with the timestamp

2. KDC Server —> decrypt it and validate it’s correct

3. KDC Server —> Send ASREP to the client with the TGT

Now the PKINIT

How it works

1. Client —> pre-auth and encrypt the timestamp with his private key

2. KDC Server —> Validate the client Certificate

3. KDC Server —> Decrypt it to verify

4. KDC Server —> sends ASREP to the client with the TGT

No PKI No Problem