Lockout Potential: Delay Skipped For Unknown Reasons

[curi0usJack]

During a standard run of CredMaster, I encountered an issue where the delay setting in my conf file was skipped completely and the next password run started immediately. I had pushover notices configured, saw the conclusion of one run and the beginning of another run immediately, but there was still inappropriate overlap between attempts.

The following screenshots are from the same command execution. In the first screenshot, delay is obeyed correctly.

In this one (from the same running command), delay seems skipped for some reason.

The running command:

python3 credmaster.py --config ./config.json --url https://foo.bar.com

config.json

{
  "plugin" : "okta",
  "userfile" : "/project/emails_master.txt",
  "passwordfile" : "/project/passwords.txt",
  "userpassfile" : null,
  "useragentfile" : "/project/uas.txt",

  "outfile" : "/project/credmaster_out.txt",
  "threads" : 1,
  "region" : "us-east-1",
  "jitter" : 15,
  "jitter_min" : 5,
  "delay" : 1532,
  "batch_size": null,
  "batch_delay": null,
  "passwordsperdelay" : null,
  "randomize" : true,
  "header" : null,
  "weekday_warrior" : null,
  "color" : false,
  "trim" : false,

  "slack_webhook" : null,
  "pushover_token" : "<redacted key>",
  "pushover_user" : "<redacted key>",
  "discord_webhook" : null,
  "teams_webhook" : null,
  "keybase_webhook": null,
  "operator_id" : null,
  "exclude_password" : false,

  "access_key" : "<redacted key>",
  "secret_access_key" : "<redacted key>",
  "session_token" : null,
  "profile_name" : null
}

Great tool! Thank you for all the effort you put in to it. :-)

[knavesec]

Hey @curi0usJack, thanks for the issue submission and the kind words! Looking to track this down and had a few questions just to see if there was an issue.

The first screenshot has the "sleeping for 1532 minutes..." message, which corresponds to line 341 (https://github.com/knavesec/CredMaster/blob/master/credmaster.py#L341) where the second screenshot outputs corresponds to line 333.

Tracking the execution flow, the only way the code would have gotten there is if the following statement was true: if self.delay is None or len(passwords) == 1 or password == passwords[len(passwords)-1]:

Since we know self.delay isn't None, and we know len(passwords) is greater than 1, the only way it could have gotten there is if the password running was also equal to the last password in the passwords file.

Could you potentially check if that was true? It may be that the password file wasn't de-duped. It could also be if the passwords file had an extra password appended to the end mid-exection flow. The passwords file isn't read on each run, it's read once initially, so if the "last password in the file" on the first run now wasn't the final password, the code may error out?

If this is the case, that's definitely helpful and I'll try and sort out a way to get rid of this behaviour.

Thanks again!

[knavesec]

@curi0usJack Following back up

[curi0usJack]

Hey there - Very sorry for my delayed response! Thanks for being patient.

I checked the logs and I have some disappointing news. The passwords.txt file that I was using has been changed several times as you'd might imagine, adding new passwords, removing old ones, etc, so the passwords.txt file I have doesn't correlate directly to the log file that displays the issue. That said, I know my methodology and I don't think the last password is the one that was attempted immediately following the completion of the previous routine (just based on how I add formats to a file). I could be mistaken and I know that doesn't give you much to go on. I can tell you that I don't add passwords on the fly while the tool is running and expect it to just grab the deltas. Just as a matter of good practice and not wanting to unintentionally lock accounts, I'll kill and restart it.

I'll see if I can duplicate the issue on my end when I next run it. I know ghosthunting is always a pain when it comes to these sorts of things, so apologies for not having better information.

[knavesec]

I'll be curious to see if you run into this again. Might just have to change it up to run off a global number of passwords variable rather than checking password = last password type of thing. Keep me posted

[mr-pmillz]

I think the problem you're having is because you forgot to set the --passwordsperdelay flag. @curi0usJack Your config shows:

"passwordsperdelay" : null,

Try setting it to:

"passwordsperdelay" : 1,

Should resolve the issue.

[knavesec]

@mr-pmillz In the parsing of the config file, if the passwordsperdelay flag isn't set it will default to 1, you can check it out here https://github.com/knavesec/CredMaster/blob/master/credmaster.py#L104