Obtaining User Credentials with

PowerShell
 BY JAKO
 01/18/2016 11:27 PM
In this article I will show you how to obtain victim's
credentials without cracking any hashes. There are a couple
of ways to perform this task (for example dumping the SAM
file and cracking the NTLM hashes), but here I will explain
how to do it using PowerShell and a bit of social engineering.
We are going to create a fake login popup.

I will be using Kali version 1 as the attacker machine and

Windows 8.1 Professional as the victim machine. All of the
steps below need a meterpreter session opened on your
system, I will skip that process because there are a lot of
tutorials for that on Null-Byte.

Step 1Get the Language of the System

At this step we are going to get the language of the system in
order to craft a specific message that will appear on the fake
login popup (For example "Failed authentication"). To do that
we can use the meterpreter command sysinfo:

Once we have the language we have to translate a simple

phrase with a translator like Google. In my case the victim
system language is spanish but I will put the message in
english (assuming that the system language is English)
because this is an english-speaking site.

Step 2Fake Login Popup

Open any text editor (here I'm using leafpad), and put the
following lines (replace "Failed authentication" with the
message of step 1):

Save the file as "evil" (or whatever you want) inside "/root/".
The performance is very simple, it launch a
username/password form, and when the user fill it and hit
enter, the credentials are printed to our screen. To execute
this code, we will run it encoded as powershell have
functionality to run code in Base64. Let's encode the payload,
open a terminal and type:
cat evil | iconv -t UTF-16LE | base64 -w0
 cat evil | displays the file "evil" and pipe the output
to the next command.
 iconv -t UTF-16LE | convert the text from the
previous command to UTF-16 and pipe the output to
the next command.
 base64 -w0 encode the text from the previous
command to Base64 and print the result.

Copy the encoded text to the clipboard. Go to your

meterpreter session and open a shell, then type:

powershell -enc <paste from your clipboard>

We can use the command idletime to see if the user is
paying attention to the screen at that moment before
executing the command.

At the time we hit enter, the victim screen will look like this:
When the victim fills the form, the credentials are sent to our
screen as shown above, that's all, we have the victim's
username and password!

What can we do with this information? If the user has admin

rights we can elevate privileges manually (I will probably
cover that on another tutorial). Most people reuse the
passwords every time they open an account, this means that
probably you could gain access to his mail, Facebook ,
Twitter, etc.

I hope you have enjoyed! Feel free to ask any question, thanks
for reading!

References
 Using Metasploit Capture Modules from Hak5.
Want to start making money as a white hat hacker? Jump-
start your hacking career with our 2020 Premium Ethical
Hacking Certification Training Bundle from the new Null Byte
Shop and get over 60 hours of training from cybersecurity
professionals.