Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,11 +26,11 @@ Masky has been designed as a Python library. Moreover, a command line interface

For both usages, you need first to retrieve the FQDN of a `CA server` and its `CA name` deployed via an ADCS. This information can be easily retrieved via the `certipy find` option or via the Microsoft built-in `certutil.exe` tool. Make sure that the default `User` template is enabled on the targeted CA.

Warning: Masky deploys an executable on each target via a modification of the existing `RasAuto` service. Despite the automated roll-back of its intial `ImagePath` value, an unexpected error during Masky runtime could skip the cleanup phase. Therefore, do not forget to manually reset the original value in case of such unwanted stop.
Warning: Masky deploys an executable on each target via a modification of the existing `RasAuto` service. Despite the automated roll-back of its initial `ImagePath` value, an unexpected error during Masky runtime could skip the cleanup phase. Therefore, do not forget to manually reset the original value in case of such unwanted stop.

### Command line

The following demo shows a basic usage of Masky by targeting 4 remote systems. Its execution allows to collect NT hashes, CCACHE and PFX of 3 distincts domain users from the sec.lab testing domain.
The following demo shows a basic usage of Masky by targeting 4 remote systems. Its execution allows to collect NT hashes, CCACHE and PFX of 3 distinct domain users from the sec.lab testing domain.

<p align="center">
<img src="./assets/masky_demo.gif" alt="Masky CLI demo" />
Expand Down Expand Up @@ -107,15 +107,15 @@ def dump_nt_hashes():
target = "192.168.23.130"
rslts = m.run(target)

# Check if Masky succesfully hijacked at least a user session
# or if an unexpected error occured
# Check if Masky successfully hijacked at least a user session
# or if an unexpected error occurred
if not rslts:
return False

# Loop on MaskyResult object to display hijacked users and to retreive their NT hashes
# Loop on MaskyResult object to display hijacked users and to retrieve their NT hashes
print(f"Results from hostname: {rslts.hostname}")
for user in rslts.users:
print(f"\t - {user.domain}\{user.name} - {user.nt_hash}")
print(f"\t - {user.domain}\\{user.name} - {user.nt_hash}")

return True

Expand Down
6 changes: 3 additions & 3 deletions masky/core.py
Original file line number Diff line number Diff line change
Expand Up @@ -105,15 +105,15 @@ def run(self, target):

for user_data in rslt.users:
logger.debug(
f"Start processing PFX of the user '{user_data.domain}\{user_data.name}'"
f"Start processing PFX of the user '{user_data.domain}\\{user_data.name}'"
)
if not self.__process_certificate(user_data):
logger.warn(
f"Fail to process gathered certificate related to the user '{user_data.domain}\{user_data.name}'"
f"Fail to process gathered certificate related to the user '{user_data.domain}\\{user_data.name}'"
)
else:
logger.debug(
f"End processing PFX of the user '{user_data.domain}\{user_data.name}'"
f"End processing PFX of the user '{user_data.domain}\\{user_data.name}'"
)
return rslt

Expand Down
2 changes: 1 addition & 1 deletion masky/lib/cert/auth.py
Original file line number Diff line number Diff line change
Expand Up @@ -425,7 +425,7 @@ def kerberos_authentication(

if not is_key_credential:
logger.result(
f"Gathered NT hash for the user '{domain}\{username}': {nt_hash}"
f"Gathered NT hash for the user '{domain}\\{username}': {nt_hash}"
)
self.user.lm_hash = lm_hash
self.user.nt_hash = nt_hash
Expand Down
12 changes: 6 additions & 6 deletions masky/lib/smb.py
Original file line number Diff line number Diff line change
Expand Up @@ -100,15 +100,15 @@ def exec_masky(self, target, ca, template):
self.__command = f'{self.__masky_remote_path} /ca:"{ca}" /template:"{template}" /output:"{self.__results_remote_path}" /debug:"{self.__errors_remote_path}"'
self.__upload_masky(target)
logger.debug(
f"Masky agent was successfuly uploaded in: '{self.__masky_remote_path}'"
f"Masky agent was successfully uploaded in: '{self.__masky_remote_path}'"
)
except Exception as e:
err_msg = None
if "STATUS_ACCESS_DENIED" in str(e):
err_msg = f"The user {self.__domain}\{self.__username} is not local administrator on this system"
err_msg = f"The user {self.__domain}\\{self.__username} is not local administrator on this system"
logger.warn(err_msg)
elif "STATUS_LOGON_FAILURE" in str(e):
err_msg = f"The provided credentials for the user '{self.__domain}\{self.__username}' are invalids or the user does not exist"
err_msg = f"The provided credentials for the user '{self.__domain}\\{self.__username}' are invalids or the user does not exist"
logger.error(err_msg)
else:
err_msg = f"Fail to upload the agent ({str(e)})"
Expand All @@ -121,11 +121,11 @@ def exec_masky(self, target, ca, template):
if self.__stealth:
self.__edit_svc()
logger.debug(
f"The service '{self.__svc_name}' was successfuly modified"
f"The service '{self.__svc_name}' was successfully modified"
)
else:
self.__create_svc()
logger.debug(f"The service '{self.__svc_name}' was successfuly created")
logger.debug(f"The service '{self.__svc_name}' was successfully created")
except Exception as e:
err_msg = (
f"Fail to edit or create the '{self.__svc_name}' service via DCERPC"
Expand Down Expand Up @@ -418,7 +418,7 @@ def __clean(self, target_host):
except Exception as e:
self.__tracker.svc_cleaning_success = False
logger.warning(
f"An unknown error occured while trying to revert or remove '{self.__svc_name}' ({str(e)})"
f"An unknown error occurred while trying to revert or remove '{self.__svc_name}' ({str(e)})"
)
try:
scmr.hRControlService(
Expand Down
4 changes: 2 additions & 2 deletions masky/ui/main.py
Original file line number Diff line number Diff line change
Expand Up @@ -10,12 +10,12 @@

def print_banner():
print(
f"""
r"""
__ __ _
| \/ | __ _ ___| | ___ _
| |\/| |/ _` / __| |/ / | | |
| | | | (_| \__ \ <| |_| |
|_| |_|\__,_|___/_|\_\\__, |
|_| |_|\__,_|___/_|\_\__, |"""f"""
v{VERSION} |___/
"""
)
Expand Down