Wp Header Logo 110

Masky – Python Library With CLI Allowing To Remotely Dump Domain User Credentials Via An ADCS Without Dumping The LSASS Process Memory



Masky python3 library and its associated CLI can be simply installed via the public PyPi repository as following:

The Masky agent executable is already included within the PyPi package.

Moreover, if you need to modify the agent, the C# code can be recompiled via a Visual Studio project located in agent/Masky.sln. It would requires .NET Framework 4 to be built.

Masky has been designed as a Python library. Moreover, a command line interface was created on top of it to ease its usage during pentest or RedTeam activities.

For both usages, you need first to retrieve the FQDN of a CA server and its CA name deployed via an ADCS. This information can be easily retrieved via the certipy find option or via the Microsoft built-in certutil.exe tool. Make sure that the default User template is enabled on the targeted CA.

Warning: Masky deploys an executable on each target via a modification of the existing RasAuto service. Despite the automated roll-back of its intial ImagePath value, an unexpected error during Masky runtime could skip the cleanup phase. Therefore, do not forget to manually reset the original value in case of such unwanted stop.

The following demo shows a basic usage of Masky by targeting 4 remote systems. Its execution allows to collect NT hashes, CCACHE and PFX of 3 distincts domain users from the sec.lab testing domain.

Masky also provides options that are commonly provided by such tools (thread number, authentication mode, targets loaded from files, etc. ).

Below is a simple script using the Masky library to collect secrets of running domain user sessions from a remote target.

Its execution generate the following output.

A MaskyResults object containing a list of User objects is returned after a successful execution of Masky.

Please look at the maskylibresults.py module to check the methods and attributes provided by these two classes.

source


Leave a Comment

Leave a Reply

Your email address will not be published.

Nation-State Hackers Targeted Facebook in Cyber Espionage Attacks – Meta

15 Best Workout Apps You Can Use in 2020

Unprotected Snapchat and Amex sites lead to credential harvesting

SharpNamedPipePTH – Pass The Hash To A Named Pipe For Token Impersonation