Masky python3 library and its associated CLI can be simply installed via the public PyPi repository as following:
The Masky agent executable is already included within the PyPi package.
Moreover, if you need to modify the agent, the C# code can be recompiled via a Visual Studio project located in
agent/Masky.sln. It would requires
.NET Framework 4 to be built.
Masky has been designed as a Python library. Moreover, a command line interface was created on top of it to ease its usage during pentest or RedTeam activities.
For both usages, you need first to retrieve the FQDN of a
CA server and its
CA name deployed via an ADCS. This information can be easily retrieved via the
certipy find option or via the Microsoft built-in
certutil.exe tool. Make sure that the default
User template is enabled on the targeted CA.
Warning: Masky deploys an executable on each target via a modification of the existing
RasAuto service. Despite the automated roll-back of its intial
ImagePath value, an unexpected error during Masky runtime could skip the cleanup phase. Therefore, do not forget to manually reset the original value in case of such unwanted stop.
The following demo shows a basic usage of Masky by targeting 4 remote systems. Its execution allows to collect NT hashes, CCACHE and PFX of 3 distincts domain users from the sec.lab testing domain.
Masky also provides options that are commonly provided by such tools (thread number, authentication mode, targets loaded from files, etc. ).
Below is a simple script using the Masky library to collect secrets of running domain user sessions from a remote target.
Its execution generate the following output.
MaskyResults object containing a list of
User objects is returned after a successful execution of Masky.
Please look at the
maskylibresults.py module to check the methods and attributes provided by these two classes.