ShadowSpray is a post-exploitation tool designed for Active Directory environments to discover and exploit weak DACLs (Discretionary Access Control Lists) by spraying "Shadow Credentials." It targets organizations with domain functional levels of 2016 or higher, enabling attackers to gain NT Hashes of compromised accounts, facilitating further domain lateral movement.

How It Works

The tool leverages the msDS-KeyCredentialLink attribute in Active Directory. It iterates through domain objects (users and computers), attempting to add a KeyCredential to this attribute. If successful, it uses PKINIT to request a Kerberos Ticket Granting Ticket (TGT) with the newly added credential. Subsequently, it performs an UnPACTheHash attack to extract the NT Hash of the compromised account. The process can be recursive, using newly acquired credentials to find more targets.

Quick Start & Requirements

• Install/Run: Typically run as a compiled binary (e.g., ShadowSpray.exe).
• Prerequisites: Windows environment, Active Directory domain (functional level 2016+), domain credentials for initial LDAP authentication.
• Dependencies: Relies on libraries for LDAP interaction, Kerberos (PKINIT), and UnPACTheHash functionality, likely integrated within the binary.
• Links: Demo video available via URL in README.

Highlighted Details

• Exploits GenericWrite/GenericAll DACLs on msDS-KeyCredentialLink.
• Automates PKINIT and UnPACTheHash for NT Hash extraction.
• Supports recursive credential spraying and cleanup (--RestoreShadowCred).
• Can be flagged by AV/EDR due to similarities with other credential abuse tools.

Maintenance & Community

The project acknowledges significant contributions from Elad Shamir (Whisker), Will Schroeder (Rubeus), Cube0x0 (KrbRelay), Michael Grafnetter (DSInternals), and Orange-Cyberdefense (GOAD). The README indicates ongoing development with a TODO list including code refactoring, verbosity options, and a Python version.

Licensing & Compatibility

The README does not explicitly state a license. The tool's nature as a security exploit implies potential use in both offensive security engagements and defensive analysis. Commercial use or linking with closed-source projects would require clarification of licensing terms.

Limitations & Caveats

This tool is explicitly noted as unsuitable for stealth engagements due to its noisy nature. It requires specific Active Directory configurations (domain functional level 2016+) and relies on the presence of exploitable DACLs. Detection can be achieved by monitoring for mass LDAP modifications or anomalous PKINIT TGT requests with specific certificate attributes.