Exfiltrate Password – Prompting for credentials is an effective way to elevate permissions and move laterally. It is not uncommon for password prompts for Outlook, VPN, and various other authentication protocols to appear randomly in a Windows environment. The attacker will use built-in Windows and PowerShell functions to pop up a credential pop-up window to retrieve the user’s password.
What is Credphish?
CredPhish is a PowerShell script for obtaining credentials and filtering passwords. It uses CredentialPicker API to collect user passwords, PowerShell ResolveDnsName for DNS penetration, and Windows Defender ConfigSecurityPolicy.exe to perform any GET requests.
By default, CredPhish uses ResolveDnsName (PowerShell’s built-in DNS resolver) to filter credentials. It converts each character in the voucher to its corresponding hexadecimal value, breaks the converted value into predefined blocks, and places them in the subdomains of popular websites. The following screenshot shows an example of the credentials extracted in hexadecimal form. Look at the hexadecimal value “Tokyo Neon” (746f6b796f6e656f6e) in the subdomains of google.com and office.com.
How To Download Credphish Exfiltrate Passwords Tool
First, we need to download the Github Creadphish Exfiltrate Passwords tool so type the below command
Now change the directory to credphish
Run the python file to exfiltrate passwords over dns