• Stars
    star
    133
  • Rank 272,600 (Top 6 %)
  • Language
    C
  • License
    MIT License
  • Created over 6 years ago
  • Updated almost 5 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

DLL Password Filter Implant with Exfiltration Capabilities

DLLPasswordFilterImplant

DLLPasswordFilterImplant is a custom password filter DLL that allows the capture of a user's credentials. Each password change event on a domain will trigger the registered DLL in order to exfiltrate the username and new password value prior successfully changing it in the Active Directory (AD).

For more information about password filters consult the Microsoft documentation.

Installing

  1. To install the password filter on a system:
  • Create the DLL for the targeted architecture. Compile in 32-bit for a 32-bit system and in 64-bit for a 64-bit system.

  • Copy the DLL to the Windows installation directory. (Default folder: \Windows\System32)

  • Register the password filter by updating the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
    

    If the Notification Packages subkey exists, add the name of the DLL ("DLLPasswordFilterImplant" if you didn't rename it) to the existing value data. Do not overwrite the existing values. If the subkey does not exist, create it and add the name of the DLL ("DLLPasswordFilterImplant" if you didn't rename it) to the value data. NOTE: Do not include the .dll extension when adding the name of the DLL in the Notification Packages subkey.

  • Configure the public key to use for encrypting credentials.

    KEY=key.pem
    # Generate an RSA key and dump its public key. Keep the private key around for decryption
    openssl genrsa -out $KEY 2048
    
    # Prepare the Windows registry key entry.
    echo 'Windows Registry Editor Version 5.00' > addKey.reg
    echo >> addKey.reg
    echo '[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]' >> addKey.reg
    # If python2 does not exist, use `python` instead.
    echo "Key=hex:$(openssl rsa -in $KEY -pubout | sed -E '/^\-/d' | base64 -d | python2 -c 'import sys; print(",".join(["{:02x}".format(ord(b)) for b in sys.stdin.read()]))')" >> addKey.reg
    

    You can then run addKey.reg file to append the raw public key to the registry. Note that using asymmetric encryption significantly increases the size of the data to exfiltrate due to message padding. There are possible improvements to be made to reduce the data overhead.

  • Restart the system Source

  1. To register the key and the domain for DNS exfiltration:
  • Go to the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
    
  • Create a string type subkey named "Domain". Specify your domain in the value of that subkey. Your domain must start with a "." . (Example value: ".yourdomain.com")

Decrypting

The encrypted data is padded using OAEP and can be decrypted as follows:

# Convert the stitched hex string to raw bytes.
xxd -r -p exfiltrated.hex > raw.bin

# Decrypt using the private key.
openssl rsautl -decrypt -oaep -inkey $KEY -in raw.bin -out decrypted.txt

Uninstalling

To completely remove the password filter of a system:

  • Unregister the password filter by updating the following registry key:

    HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Control\Lsa
    

    In the Notification Packages subkey remove the name of the DLL of the existing value data. Do not remove other existing values.

  • Restart the system

  • In the Windows installation directory (Default folder: \Windows\System32), find the password filter DLL ("DLLPasswordFilterImplant.DLL" if you didn't rename it) and delete the file.

DNS Exfiltration Server

A simple DNS server to receive the exfiltrated data is provided in scripts/. Run pip install -r scripts/requirement.txt, preferably in a virtual environment. and then provide it with a .PEM encoded private key and optional output file (defaults to creds.txt) where to output the credentials.

Currently, the DNS server does not support concurrent password changes and serves only as a proof of concept. Pull requests adding robustness to the server are more than welcome.

Caveats

  • Deleting the implant requires to first disable it and then restart Windows.

Compatibility

Works on:

  • Windows 7 Hosts (x64)
  • Windows 10 Hosts (x64)
  • Windows Server 2008 DCs (x64)
  • Windows Server 2012 DCs (x64)
  • Windows Server 2016 DCs (x64)

The password filter was tested exclusively on systems listed above.

Debug

Here are some tool that may help you debug the DLL (if necessary):

More Repositories

1

pyrdp

RDP monster-in-the-middle (mitm) and library for Python with the ability to watch connections live or after the fact
Python
1,483
star
2

malboxes

Builds malware analysis Windows VMs so that you don't have to.
Python
1,028
star
3

dtd-finder

List DTDs and generate XXE payloads using those local DTDs.
Kotlin
601
star
4

WSuspicious

WSuspicious - A tool to abuse insecure WSUS connections for privilege escalations
C#
338
star
5

php7-opcache-override

Security-related PHP7 OPcache abuse tools and demo
Python
306
star
6

pywsus

Standalone implementation of a part of the WSUS spec. Built for offensive security purposes.
Python
286
star
7

csp-auditor

Burp and ZAP plugin to analyse Content-Security-Policy headers or generate template CSP configuration from crawling a Website
Java
135
star
8

template-injection-workshop

Workshop on Template Injection (6 exercises) covering Twig, Jinja2, Tornado, Velocity and Freemaker engines.
CSS
118
star
9

xxe-workshop

Workshop given at Hack in Paris 2019
JavaScript
118
star
10

ldap-scanner

Checks for signature requirements over LDAP
Python
92
star
11

frida-xamarin-unpin

A Frida script to bypass Xamarin certificate pinning implementations
C#
65
star
12

advanced-binary-analysis

Materials for the Binary Analysis Workshop presented at NorthSec 2020
HTML
63
star
13

break-fast-serial

A proof of concept that demonstrates asynchronous scanning for Java deserialization bugs
Python
54
star
14

security-cheat-sheet

Minimalist cheat sheet for developpers to write secure code
HTML
54
star
15

xfsc

eXtensions for Financial Services (XFS) proof of concept client to explore and issue commands directly to the devices that support the protocol. Force ATMs to dispense cash if you have code execution on them.
C
53
star
16

gophish-cli

Gophish Python cli to perform huge phishing campaigns
Python
40
star
17

linkedin-osint

A simple proof of concept that demonstrate how emails can easily be tie to LinkedIn profile
Python
36
star
18

presentations

Material from presentations done by GoSecure researchers
HTML
32
star
19

burp-ntlm-challenge-decoder

Burp extension to decode NTLM SSP headers and extract domain/host information
Kotlin
32
star
20

request-smuggling-workshop

Python
22
star
21

Cisco2Checkpoint

Tool that assists in migrating firewall rules from Cisco to Checkpoint. Will optimize rules for you (rationalization, reuse merging, etc.).
Python
21
star
22

unicode-pentester-cheatsheet

An easy to navigate list of unicode characters that have risky transformations ๐Ÿ’ฅ
HTML
20
star
23

zap-autodecode-view

ZAP plugin demonstrating custom view for WebSocket messages.
Kotlin
13
star
24

goinsecure-deserialization

Accompanying material needed for the workshop
Java
11
star
25

LansweeperPasswordRecovery

Lansweeper Password Recovery Tool
C#
11
star
26

malware-ioc

Indicators of Compromise (IOCs) for malware we have researched
YARA
10
star
27

44con-code-review-workshop

References, tools and sample payloads
10
star
28

hackfest-deserialization-workshop

8
star
29

jenkins-fsb

Jenkins instance with preconfigured jobs to analyze Java binaries using Find Security Bugs.
Shell
6
star
30

orange-code-widget

๐ŸŠ Widget for Orange to visualize code sample
Python
6
star
31

request-smuggling-nsec-demo

PHP
5
star
32

burp-fuzzy-encoding-generator

Quickly test various encoding for a given value in Burp Intruder
Kotlin
5
star
33

malware_investigation_template

Because .idb files should be version controlled.
Shell
4
star
34

fq-pyrdp

fq format for parsing PyRDP replays
Go
4
star
35

owasp-workshop-zap

Atelier pratique sur le dรฉveloppement d'extension ZAP / Workshop on ZAP extension development
HTML
4
star
36

caplets

Fork of caplets with RDP proxy caplet
JavaScript
3
star
37

confoo-xss-bypass-demos

Demonstration for the presentation Modern XSS
3
star
38

java-hostname-verification-poc

Java
2
star
39

missing-security-controls

HTML
1
star
40

notebooks

Cybersecurity Research Jupyter Notebooks for the Community
Jupyter Notebook
1
star
41

gosecure.github.io

HTML
1
star