Post Exploitation Credential Gathering (Phishing for Credentials in Windows Environments)
Many times during red team engagements, I had faced the following situation “ I have access to X’s system (by phishing or any other means). X does not have a lot of privileges but has access to one of my goals. I need to take X’s password”
Now at this point, you must be thinking “Oh !! yeah”. Why don’t you take an LSASS dump, get creds and go away? Or you may be thinking why not just keylog X and wait for him to out in his password.
Some smarter folks will be pointing me to https://enigma0x3.net/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/ and https://github.com/matterpreter/OffensiveCSharp/tree/master/CredPhisher (FYI, I didn’t know CredPhisher existed before I wrote my code… FunFACT: We both copied from same StackOverflow.. LOL).
Enigma0x3 did a great research and made this Invoke-CredPhish thing that prompted for the password and also checked the password was correct or not. I had used Invoke-CredPhish a lot during my previous engagements and had success with it. This project had two large issues:
a. The prompt shown by this project was not super familiar is newer windows 10 environments
b. People who are super busy will just minimize it and move forward with their work
With these two problem statements in mind, I started developing SharpLoginPrompt. I did a bit of google foo and found that CredUIPromptForWindowsCredentials can make a prompt which matches the current version and theme of windows and gather credentials. So problem statement one was solved. We get a nice prompt which is super familiar in win10 environments,
Now I moved to my second problem, making the prompt “non-ignorable”. @JonathanCheun20 my colleague said “What if we can make the prompt window stay on top of all the other windows?”. I said its a good idea but I don’t have a window handle and CredUIPromptForWindowsCredentials does not provide me with a nice little window handle with I can fiddle with. After a while and a bit of research, I figured out a way to keep the prompt on top as well. With all these new modifications, I used this project in my recent engagement. Turns out I had 99% success, People were not able to ignore it and they’d put their credentials to make that pop-up go away.
You can download the project from Github https://github.com/shantanu561993/SharpLoginPrompt