EN
ENNA

Whisker

MIT

๐Ÿ”ฅ Offensive Ops ยท C#

Whisker is a C# tool for performing the Shadow Credentials attack against Active Directory. The attack exploits the msDS-KeyCredentialLink attribute introduced for Windows Hello for Business, which allows certificate-based authentication via Kerberos PKINIT. By adding a rogue Key Credential entry to a target user or computer's msDS-KeyCredentialLink attribute (which requires write access to the attribute), an attacker can then authenticate as that principal using the corresponding private key, without knowing or changing their password. This is stealthier than traditional credential attacks because it doesn't modify the password or trigger password change events. Whisker generates the key pair, adds the Key Credential to the target, and can be combined with Rubeus to request TGTs using the shadow credential. It's particularly effective when you have GenericWrite or GenericAll permissions over user or computer objects.

935stars
121forks
3issues
Updated 1y ago
View on GitHub

Installation

from source

$ git clone https://github.com/eladshamir/Whisker && cd Whisker && dotnet build

Use Cases

  • Adding shadow credentials to AD objects for stealthy Kerberos authentication
  • Persisting access without modifying passwords or triggering change events
  • Lateral movement via Key Credential abuse when GenericWrite is available
  • Testing Active Directory environments for shadow credential attack exposure
  • Combining with Rubeus for certificate-based TGT requests after credential injection

Tags

shadow-credentialsactive-directorykerberospkinitpersistencelateral-movement

Details

Category
๐Ÿ”ฅ Offensive Ops
Language
C#
License
MIT
Platforms
๐ŸชŸwindows

Links

GitHub Repository

github.com/eladshamir/Whisker

Releases

github.com/eladshamir/Whisker/releases

Issues

github.com/eladshamir/Whisker/issues

Sponsored

Your ad here

Reach security professionals and developers - ads@en-na.com

Alternatives & Comparisons

Impacket

Python

Collection of Python classes for working with network protocols. Essential for Windows/AD pentesting.

Compare Whisker vs Impacket

Rubeus

C#

C# toolset for raw Kerberos interaction and abuse. AS-REP roasting, Kerberoasting, ticket manipulation, delegation attacks.

Compare Whisker vs Rubeus

Certipy

Python

Active Directory Certificate Services (AD CS) abuse tool. Find and exploit certificate template misconfigurations.

Compare Whisker vs Certipy

PetitPotam

Python

NTLM relay coercion tool. Forces Windows machines to authenticate via MS-EFSRPC, enabling relay attacks for domain compromise.

Compare Whisker vs PetitPotam

More in Offensive Ops

Mythic

Go

Collaborative, multi-platform C2 framework. Docker-based with web UI, multiple agent types, and plugin architecture.

c2red-teammulti-operator

Havoc

C/C++

Modern C2 framework. Qt-based GUI, BOF support, custom agents, and a Cobalt Strike-inspired workflow.

c2red-teamgui

Rubeus

C#

C# toolset for raw Kerberos interaction and abuse. AS-REP roasting, Kerberoasting, ticket manipulation, delegation attacks.

kerberosactive-directoryroasting

Certipy

Python

Active Directory Certificate Services (AD CS) abuse tool. Find and exploit certificate template misconfigurations.

active-directorycertificatesadcs

Coercer

Python

Automatically find and exploit Windows authentication coercion vulnerabilities. PetitPotam, PrinterBug, and more.

authentication-coercionntlm-relaypetitpotam

SharpHound

C#

Official BloodHound data collector. Enumerates Active Directory objects, sessions, ACLs, and trusts for graph analysis.

active-directoryenumerationbloodhound