🧶 (1/) Reproducing Masky Thread
So it’s a relaxing Friday evening to play with the new awesome #Masky tool by @_ZakSec. I’ll show you here how to reproduce its behavior with #CrackMapExec, #Impacket, #Sliver, #Certify and #Certipy.
Let’s go! ⤵️
#pentest #adcs
🧶 (2/) First things first, I shall enumerate AD CS environment with #CrackMapExec and qwinsta the Victim machine via newly introduced tstool[.]py from #Impacket (thx @nopernik!). For the purpose of this demo I’ll use a DA account to interact with the Victim but any LA will do 👨🏻💻
🧶 (3/) I shall now prepare my team server and generate an encrypted Sliver beacon to use it with DInjector 💉
🧶 (4/) It’s all set up now, let’s fire CME with --dotnetassembly options to emulate execute-assembly procedure and get our session. tstool[.]py’s saves the day again with its tasklist feature to get the explorer.exe PIDs 📂
🧶 (5/) Inside the Sliver beacon I shall use the ‘impersonate’ module to steal the victim user token and execute Certify (available as an armory package) to request a brand new certificate on her behalf 📜
🧶 (6/) The last thing we need to do is to UnPAC-the-Hash via Certipy. The command line syntax is pretty straightforward 🤓
thehacker.recipes/ad/movement/ke…
🧶 (7/) That’s what Masky offers, saving us from all these intermediate steps and doing its magic under the hood. Thanks again @_ZakSec for the automatization! 🦾
github.com/Z4kSec/Masky
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.