https://github.com/ShorSec/ShadowSpray
A tool to spray Shadow Credentials across an entire domain in hopes of abusing long forgotten GenericWrite/GenericAll DACLs over other objects in the domain.
__ __ __ __ __ __
/__` |__| /\ | \ / \ | | /__` |__) |__) /\ \ /
.__/ | | /~~\ |__/ \__/ |/\| .__/ | | \ /~~\ |
Usage: ShadowSpray.exe [-d FQDN] [-dc FQDN] [-u USERNAME] [-p PASSWORD] [-r] [-re] [-cp CERT_PASSWORD] [-ssl]
-r (--RestoreShadowCred) Restore "msDS-KeyCredentialLink" attribute after the attack is done. (Optional)
-re (--Recursive) Perform ShadowSpray attack recursivly. (Optional)
-cp (--CertificatePassword) Certificate password. (default = random password)
General Options:
-u (--Username) Username for initial LDAP authentication. (Optional)
-p (--Password) Password for initial LDAP authentication. (Optional)
-d (--Domain) FQDN of domain. (Optional)
-dc (--DomainController) FQDN of domain controller. (Optional)
-ssl Use LDAP over SSL. (Optional)
-y (--AutoY) Don't ask for confirmation to start the ShadowSpray attack. (Optional)