HomephishingExfiltrate passwords over DNS - CredPhish

Exfiltrate passwords over DNS – CredPhish

Exfiltrate Password – Prompting for credentials is an effective way to elevate permissions and move laterally. It is not uncommon for password prompts for Outlook, VPN, and various other authentication protocols to appear randomly in a Windows environment. The attacker will use built-in Windows and PowerShell functions to pop up a credential pop-up window to retrieve the user’s password.

What is Credphish?

CredPhish is a PowerShell script for obtaining credentials and filtering passwords. It uses CredentialPicker API to collect user passwords, PowerShell ResolveDnsName for DNS penetration, and Windows Defender ConfigSecurityPolicy.exe to perform any GET requests.

By default, CredPhish uses ResolveDnsName (PowerShell’s built-in DNS resolver) to filter credentials. It converts each character in the voucher to its corresponding hexadecimal value, breaks the converted value into predefined blocks, and places them in the subdomains of popular websites. The following screenshot shows an example of the credentials extracted in hexadecimal form. Look at the hexadecimal value “Tokyo Neon” (746f6b796f6e656f6e) in the subdomains of google.com and office.com.

Exfiltrate passwords over DNS – CredPhish

Before resolving the DNS query, the DNS server deletes the hexadecimal subdomain to avoid generating dozens of error messages. Please note that the “Reply” field no longer contains a subdomain and correctly resolves to one of the Google IPs in the Wireshark screenshot below.

Exfiltrate passwords over DNS – CredPhish

How To Download Credphish Exfiltrate Passwords Tool

Step 1:

First, we need to download the Github Creadphish Exfiltrate Passwords tool so type the below command

Exfiltrate passwords over DNS – CredPhish

Step 2:

Now change the directory to credphish

					cd CredPhish
Exfiltrate passwords over DNS – CredPhish

Step 3:

Run the python file to exfiltrate passwords over dns

					sudo ./dns_server.py
Exfiltrate passwords over DNS – CredPhish


Leave A Reply

Please enter your comment!
Please enter your name here

Most Popular