Ctrlk

SharpLoginPrompt - Success and a Curious Case

A tale of why SharpLoginPrompt Always Works and a recent curious case

So recently my team was performing a Red Team assessment. Its common in our team to innovate and use each other's tools. This drives the appreciation and growth inside the team. I developed SharpLoginPrompt long time ago to, but in this recent case it was not working as expected and this lead to a new update in SharpLoginPrompt.

History of Login Prompts?

In January 2015 Matt Nelson (@enigma0x3) wrote a blog post about using PromptForCredential for displaying the Credential prompt. The thing worked wonders through the days where Powershell was being used for offensive purposes. Once Microsoft added lots of logging capabilities, we saw a sharp rise in the use of C# and Matt Hand (@matterpreter) wrote CredPhiser and pushed it inside his OffensiveCSharp tool list.

So Why SharpLoginPrompt ?

Both Invoke-LoginPrompt from @enigma0x3 and CredPhisher have one basic problem. The problem is whenever we try to Phish someone with Login Prompts the first instinct of the victim user is to hide it or put in background while they continue their work till the end of day. Now while, this is a very good feature, as a Red Teamer, we dont have all day to wait for the victim to put in their credentials. So the way out was only to make it persist on the screen until the user fills out the right credentials.

Introducing SharpLoginPrompt

SharpLoginPrompt is a code adapted from both CredPhisher and Invoke-LoginPrompt but with a Twist. The Twist is that the prompt never dies or go behind the any application until the correct credentials are provided. Following is a gif for the demonstration.

SharpLoginPrompt Always on TOP

This allowed us to gather the credentials from the user as quickly as we want without waiting all day.

Download SharpLoginPrompt

You can download the binary from here or you can compile yourself using the source code

Next Steps in Credential Phishing

My organization has a lot of talented and distinguished people from the industry and one of them is Arris. Arris has already taken this forward more more step in his fakelogonscreen project.

Credits

As always my coworkers and my family. Special Thanks to Jonathan Cheung and Vincent Yiu

PreviousConnecting GoPhish with Office365NextGophish MODs

Last updated