Shwmae: A Windows Hello abuse tool
Shwmae
Shwmae (shuh-my) is a Windows Hello abuse tool that was released during DEF CON 32 as part of the Abusing Windows Hello Without a Severed Hand Talk. The purpose of the tool is to abuse Windows Hello from a privileged user context.
The tool features several modes of operation.
Enumeration
When no arguments are provided enumeration is the default mode, alternatively you can use the enum command. Enumeration mode will enumerate all Windows Hello containers available, and recursively enumerate all Windows Hello enrolled keys and protectors within the container. In instances where no TPM is present on the host, a hash is generated for the PIN protector than can be cracked offline using hashcat.
The biometric protector will be decrypted automatically but the PIN and Recovery protectors can be decrypted using the /pin and /token arguments respectively. Only a single protector needs to be decrypted from each container to allow abuse of the Windows Hello keys within that container.
PRT
The PRT operating mode facilitates generating an initial PRT and renewing existing PRT’s via the prt command by utilizing any Entra enrolled Windows Hello keys. If cloud trust is enabled within the tenant, the cloud TGT is decrypted and can be used to authenticate as the user against on premises Active Directory using Rubeus.
WebAuthn
The WebAuthn operating mode sets up a simple web API via the webauthn command that will accept WebAuthn assertion requests from the ShwmaeExt web browser extension from another host.
Once the WebAuthn HTTP listener is setup on a compromised host, which defaults to listening on port 8000, you can install the ShwmaeExt within an attacking browser. Once you set the listener URL within the extension, you can login via Passkey authentication using any credentials available from the compromised host. You can find the exploded extension inside the ShwmaeExt folder.
Dump
The dump command can be used for extracting Windows Hello backed private keys that are backed by the Software Key Storage provider. You cannot use this mode to extract keys that are backed by the Platform Key Storage Provider.
Sign
The sign command can be used for signing arbitrary data with a specific key. This mode can be useful in scenarios where no specific integration exists within the tool.
The --key-name argument is used to target the specific Windows Hello key pair to use and the --data argument is used to calculate the signature. The data should be presented as a Base64 encoded string, but the string is first decoded to binary prior to generating the signature. The binary signature is converted to Base64 and printed to the console.
