Month: October 2020

  • October 28, 2020

    Phishing Windows Credentials

    It is very common in Windows environments when programs are executed to require from the user to enter his domain credentials for authentication like Outlook, authorization of elevation of privileges (User Account Control) or simply when Windows are inactive (Lock Screen). Mimic this behavior of Windows can lead to harvest credentials of Windows users that could be used for lateral movement during red team assessments. This technique can be useful when initial foothold has been achieved on the system and credentials of the user cannot be discovered by alternative methods.  C# Modern red teaming technique require tradecraft to be based in C# language since it allows in-memory execution by various frameworks such as Cobalt Strike, Covenant etc. The FakeLogonScreen is a Windows utility that was developed in C# by Arris Huijgen that will mimic Windows logon screen in an attempt to obtain the password of the current user.  The tool has the ability to show the background that is currently configured in order to reduce the risk of security conscious users to spot this malicious operation.  When the user enter his password on the fake logon screen it will perform a validation against the Active Directory or locally to ensure that the password is correct. The password will be displayed in the console. There is also a secondary binary which is part of the project and stores the credentials to a file (user.db) on local disk. Specifically executing the following will read the file that contains the credentials of the domain user.  1 type C:\Users\pentestlab.PENTESTLAB\AppData\Local\Microsoft\user.db A similar assembly binary called SharpLocker was developed by Matt Pickford that upon execution will show a fake logon screen to the user.  Every single keystroke will be captured on the console until the password of the user is fully uncovered. PowerShell Windows security input prompts are very common since applications in corporate...