This is the ninth article in our
series of Credentials Dumping. In this article, we will trigger various
scenarios where windows will ask for user authentication to retrieve the
credentials. For security purpose, windows make it essential to validate user
credentials for various authentications such as Outlook, User Account Control,
or to sign in windows from the lock screen. We can use this feature to our
advantage to dump the credentials after establishing the foothold on the target
system. To exploit this feature, we will
use phishing technique to harvest the credentials.
Table of content:
·
Metasploit Framework
o
Phish_windows_credentials
o
FakeLogonScreen
o
SharpLocker
·
PowerShell Empire
o
Collection/prompt
o
Collection/toasted
·
Kodiac
o
Password_box
·
PowerShell
o
Invoke_credentialsphish.ps1
o
Invoke-loginprompt.ps1
·
Lockphish
·
Conclusion
Metasploit Framework: phish_windows_credentials
Metasploit comes with an in-built post exploit which helps
us to do the deed. As it is an exploit, it needs to be linked with an ongoing
session. To use this module, simple type:
use post/windows/gather/phish_windows_credentials
set session 1
exploit
This module waits for a new process to start by the user.
After the initiation of the process, a fake windows security dialogue box will
open, asking for the user credentials as shown in the image below:
As the user enters their credentials, they will be
apprehended and displayed as shown in the image below:
Metasploit Framework: FakeLogonScreen
FakeLogonScreen was created by Arris Huijgen. It is a
windows utility tool that is developed in C#. It is developed in C# because it
allows various Frameworks to inject the utility in memory, therefore we will
remotely execute this tool using Metasploit.
We simply upload this utility tool from our meterpreter
session and then remotely execute it using the following set of commands:
upload /root/FakeLogonScreen.exe
shell
FakeLogonScreen.exe
Upon execution, it will simulate the windows lock screen to
obtain the password from the user. To do so, this tool will manifest the lock
screen exactly like it is configured so that the user isn't suspicious, just as
it is shown in the image below:
It will validate the credentials locally or from Active
Directory as the user enters them and then display it on the console as shown
in the image below:
Metasploit Framework: SharkLocker
This tool is very similar to the previous one. It was
developed by Matt Pickford. just like FakeLogonScreen, this tool, too, will
exhibit the fake lock screen for the user to enter credentials and then dump
then keystroke by keystroke to the attacker.
We will first upload this tool from our machine to the
target system and then execute it for it to work. So, when you have the
meterpreter session just type:
upload /root/Downloads/SharkLocker.exe
shell
Then navigate yourself to the Downloads folder and run the
executable file.
Upon execution the tool will trigger the lock screen of the
target system as shown in the image below:
And as the user enters the password, it will capture the
keystrokes until the whole password is revealed as shown in the image below:
PowerShell Empire: collection/prompt
This module of the empire will prompt a dialogue box on the
target system, asking for credentials. We can use this module with the
following commands:
usemodule collection/prompt
execute
Once the user types in the credentials on the dialogue box,
the module will display it on the terminal as shown in the image below:
PowerShell Empire: collection/toasted
This module of empire triggers a restart in the target
system, to use this module type the following command:
usemodule collection/toasted
execute
Once the module executes, it will show the following
dialogue box:
And once the restart is postponed, it will ask for
credentials to validate the decision as shown in the image below :
And as the user enters the credentials, I will show on the
terminal as shown in the image below:
Kodiac: password_box
A similar module is found in Kodiac. Once you have the
session from it, use the following module to trigger the dialogue box:
use password_box
execute
When the user enters the username and password in the
dialogue box, the password will be displayed in the terminal too as shown in
the image below:
Powershell: invoke-cresentialsphish.ps1
There is a script of PowerShell that creates a fake prompt
for the user to enter the credentials. To initiate the script, type:
Import-module C:\Users\raj\Desktop\Invoke-CredentialsPhish.psi
Invoke-CredentialsPhish
The execution of the above commands will pop out a prompt
asking for credentials as shown in the image below:
So, once the user enters the credentials, they will be
displayed on the screen as shown in the image below:
PowerShell: invoke-loginprompt.ps1
Similarly, there is another script developed by Matt Nelson.
This script will again open a dialogue box for the user to enter the passwords,
to initiate the script type the following:
Import-module C:\Users\raj\Desktop\Invoke-LoginPrompt.psi
Invoke-LoginPrompt.ps1
As you can see the dialogue box emerges on the screen and
the user enters the credentials, then further they will be displayed back on
the terminal.
Lockphish
Lockphish is another tool that allows us to phish out the
credentials, you can download this tool from here. This tool creates a template
will be hosted into PHP server, it will then redirect the user to youtube by
default after the credentials are retrieved.
Initiate the tool using the following command:
./lockphish.sh
It will generate a link as shown in the image above, send
that link to the target. When the target executed the link and saves the file.
For this step, strong social engineering skills are required.
Then the lock screen will be
triggered and the user will be forced to enter the credentials as shown in the
image below:
And after the user has entered the credentials, I will
redirect to youtube as shown below:
And, we will have our credentials as shown in the image
below:
Conclusion
These were various methods that we can use to dump the
credentials of the target system. Depending on the scenarios the appropriate
method for dumping the credentials should be used. The PowerShell methods are
best to validate the credentials as the prompt doesn’t close till the correct
credentials are entered. Lockphish method doesn’t create the lock screen as
accurately as other tools and it also does not validate the credentials. Hence
each method and tool have their advantages and disadvantages. But all of them
are fairly good and working.
0 comments:
Post a Comment