Refactored & improved CredKing password spraying tool, uses FireProx APIs to rotate IP addresses, stay anonymous, and beat throttling

knavesec, updated 🕥 2023-03-18 17:36:48

CredMaster

Launch a password spray / brute force attach via Amazon AWS passthrough proxies, shifting the requesting IP address for every authentication attempt. This dynamically creates FireProx APIs for more evasive password sprays.

Shoutout to @ustayready for his CredKing and FireProx tools, which form the base of this suite.

See all the full notes on the Wiki, tool released with specifics in this blogpost

For detection tips, see the blogpost and detection section.

Be careful for account lockouts, know the reset policies of your target

TL;DR

  1. git clone the repo down
  2. If unsure how to create correct keys see this blog.
  3. pip install -r requirements.txt
  4. Fill out the config file (wiki) with desired options, or provide through CLI

Benefits & Features

  • Rotates the requesting IP address for every request
  • Automatically generates APIs for proxy passthru
  • Spoofs API tracking numbers, forwarded-for IPs, and other proxy tracking headers = fully anonymous
  • Easily configuation via config file
  • Multi-threaded processing
  • Password delay counters & configuration for lockout policy evasion
  • Easily add new plugins
  • Colourised output
  • Notification systems for Keybase, Slack, Discord, Teams & Pushover
  • WeekdayWarrior setting for timed spraying and SOC evasion

general

Quick Use

The following plugins are currently supported:

  • OWA - Outlook Web Access
  • --plugin owa
  • EWS - Exchange Web Services
  • --plugin ews
  • O365 - Office365
  • --plugin o365
  • ADFS - Active Directory Federation Services
  • --plugin adfs
  • O365Enum - Office365 User Enum (No Authentication Request)
  • --plugin o365enum
  • MSOL - Microsoft Online
  • --plugin msol
  • MSGraph - MSGraph Module, msgraph spray point for azure and MSOL credentials
  • --plugin msgraph
  • AzureSSO - Azure AD Seamless SSO Endpoint
  • --plugin azuresso
  • AzVault - AzVault Module, Azure spray point different to MSOL/AzureSSO
  • --plugin azvault
  • Okta - Okta Authentication Portal
  • --plugin okta
  • FortinetVPN - Fortinet VPN Client
  • --plugin fortinetvpn
  • HTTPBrute - Generic HTTP Brute Methods (Basic/Digest/NTLM)
  • --plugin httpbrute
  • GMailEnum - GSuite/Gmail enumeration
  • --plugin gmailenum

Example Use: python3 credmaster.py --plugin {pluginname} --access_key {key} --secret_access_key {key} -u userfile -p passwordfile -a useragentfile {otherargs}

or

python3 credmaster.py --config config.json

This tool requires AWS API access keys, a walkthrough on how to acquire these keys can be found here: https://bond-o.medium.com/aws-pass-through-proxy-84f1f7fa4b4b

All other usage details can be found on the wiki

TODO

PRs welcome :)

  • New Plugin: Optiv's Go365 Method - Includes Office365 auth and userenum capabilities via SOAP
  • "Resume" functionality for paused/cancelled scans. Ideally storing data for APIs used, if they were destroyed and what user/pwd the spray was on
  • Method to reliably determine if an auth attempt was throttled, so the username could be re-queued and tried again later for full cover (would have to be per-plugin, return "throttled" boolean value in plugin script, requeue if throttled)
  • Notification system for webhooks (Teams TODO)
  • Stop on success flag
  • Spray profile overhaul
  • Development notes

Credits

  • Mike Felch (ustayready) - CredKing & FireProx
  • Beau Bullock (dafthack) - MSOLSpray tool
  • Martin Ingesen (mrtn9) - MSOLSpray Python tool
  • Oliver Morton (grimhacker) - Office365UserEnum tool
  • Marcello (byt3bl33d3r) - SprayingToolkit
  • Erforschr - HTTP Bruteforce tool
  • Florian Hauser (frycos from codewhitesec) - ADFS plugin
  • nyxgeek - Azure AD Seamless SSO python implementation
  • Joe Helle (joehelle) - Oh365UserFinder
  • Cameron Geehr (BarrelTit0r) - o365enum tool
  • Max Gruenberg (Max_Gruenberg) - o365enum plugin
  • x0rz - GmailEnum technique
  • Kole Swesey (0xPanic_) - Assorted PR
  • Logan (TheToddLuci0) - Assorted bug squashing, AWS authing, and Keybase notifying
  • Andy Gill (ZephrFish) - Colour functions + Tweaks/Notifications, helping on dev rewrite, AzVault module

Feel free to drop me a line - \@knave on Keybase - Twitter - knavesec

Issues

Fixing unbound variable declaration + better notifications

opened on 2023-03-18 17:36:48 by 0xInfection

Addresses: - extra content= parameter in a few requests.post() method calls. - undeclared variable usage - better notification error handling

update owa plugin to use forms auth

opened on 2023-02-19 02:47:15 by techspence

TLDR: This PR seeks to resolve the issue OWA/EWS Plugins Authentication Failed with Valid Credentials by changing the owa plugin to use forms auth instead of NTLM against the auto-discover endpoint.

Note: There are a couple of opsec drawbacks with this, but for the purposes of testing a client environment, I'm personally ok with those drawbacks.

Summary of changes: - Add a list of possible owa endpoints to search through - Implement 2 new functions in the init module, check_url and check_path - check_path uses check_url to check each of the owa endpoints to see which one is in use - one drawback of this is it's not very opsec safe since it's sending a get request from the operator's host to the endpoint - The pluginargs URL is also used to get the internal domain name, again not very opsec safe but it works - Successful authentication (valid credentials) are found when there response code is 302 and 4 or more cookies are set

Strange behavior: - I had trouble getting the x-amzn-remapped-www-authenticate header to work with the OWA plugin so I fall back to using WWW-Authenticate. I'm not sure of the implications of this - For some reason the "Content-Type": "text/xml" header causes the request to fail with 400 errors, so I exclude it

I've tested this a bit in my lab, but I would very much welcome others testing this to see if I've introduced any bugs/issues/incompatibilities/etc. If there's anything that requires fixing I'm happy to work on it.

I hope this PR can help the project even just a tiny bit. Cheers!

Move the example config to example.config.json

opened on 2023-02-13 15:45:10 by TheToddLuci0

Avoid potential issues with people putting their actual secrets into a file tracked by git.

config.json is already in .gitignore, so should be good there.

MFA Sweep module + fixes

opened on 2023-01-24 01:02:12 by ZephrFish

Additions

  • Added in new user agents to match MFASweep, each will rotate through default recommended UAs from MS
  • Added in MFASweep module + screenshots and docs to match, added line to config file too

Updates

Added changes to readme to mirror the MFAModule Updated Docker container to support ADAL/MSAL modules with Python 3.10 Updated requirements.txt with new modules required for MFASweep module

Optiv's Go365 tool implementation

opened on 2021-11-02 20:28:27 by knavesec

https://github.com/Optiv/Go365

Optiv's Go365 tool does some awesome bruteforcing & enum for Office365 tenants. Would be great to have a CredMaster plugin for it, with an optional --endpoint flag to specify RST or Graph.

I could probably do it myself, theres just a lack of time in this world, would appreciate if someone tried their hand with a PR!

OWA/EWS Plugins Authentication Failed with Valid Credentials

opened on 2021-08-17 16:27:42 by webofsnyderman

While attempting to use the OWA/EWS plugins I am getting "Authentication Failed:" with a valid credential. O365 module works as expected for the same credentials. Possibly an issue with NTLM auth?

I'm curious if anyone has had success with these plugins before or have seen the same issue.

Ellis Springe

Penetration tester

GitHub Repository

password-spray leet-haxor-toolz brute-force hacktoberfest