In order to apply "Shadow Credentials" to the target account, the gssapi-abuse tool manipulates the msDS-KeyCredentialLinkattribute of Active Directory user and computer accounts. Michael Grafnetter's (@MGrafnetter) work from DSInternals served as the foundation for this utility.

gssapi-abuse is a tool developed for gaining control over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute, essentially adding "Shadow Credentials" to the target account. This tool is based on code from DSInternals by Michael Grafnetter (@MGrafnetter). It's important to emphasize that this tool should only be used responsibly and with proper authorization for security assessments and testing in controlled environments.


  1. Ensure you have a working krb5 stack along with a correctly configured krb5.conf.
  2. On Windows, install the MIT Kerberos software and the required python modules listed in requirements.txt. The Windows krb5.conf file is typically located at C:\ProgramData\MIT\Kerberos5\krb5.conf.
  3. On Linux, install the libkrb5-dev package before installing python requirements.
  4. Install the python dependencies using pip:

How to Use

gssapi-abuse has two main features, Enumeration Mode and DNSMode.

Enumeration Mode:

Connect to Active Directory and perform an LDAP search forall computers without the word "Windows" in the Operating Systemattribute.

Attempt to connect to each host over SSH and determine ifGSSAPI-based authentication is permitted.

DNS Mode:

Utilizes Kerberos and dnspython to perform an authenticatedDNS update over port 53 using the DNS-TSIG protocol.

Requires a working krb5 configuration with a valid TGT orDNS service ticket targeting a specific domain controller.


Adding a DNS A record for host


Adding a reverse PTR record for host


After execution, verify the results using nslookup for both forward and reverse DNS lookup.

Additional Information

  • This     tool is part of a DEF CON 31 talk. For a detailed understanding of the     abuse vector, refer to the write-up: A Broken     Marriage: Abusing Mixed Vendor Kerberos Stacks.
  • Caution:     This tool is powerful and can impact DNS records. Use it with care,     especially considering its potential disruptions, especially when clearing     the msDS-KeyCredentialLink attribute of accounts configured for     passwordless authentication.
Table of Contents: