Reading Time: 4 minutes

SharpLocker

SharpLocker is a tool that helps hackers steal Windows credentials by popping up a fake Windows lock screen. All of the output is sent to the console which is works well with Cobalt Strike or Metasploit. This is a tool that can be injected into memory to avoid detection.

How to use SharpLocker with Metasploit

Suppose you have a foothold on a Windows machine that you are hacking and you want to attempt snagging the users credentials.

Assuming you have a meterpreter session running you can easily upload the SharpLocker.exe and execute the application.

Note: running the .exe is not the intended way of using SharpLocker. It’s supposed to be injected into memory and never touch disk, but this method does work. This could get detected by heuristic analysis. See the lab below for more details.

At this point a screen should pop up that looks identical to a user logon screen.

(SharpLocker Login Screen)

When the user enters there password it will be put into the meterpreter session for you to use.

Let’s Look at the Source Code

To clone the GitHub repository you can run this command.

SharpLocker’s GitHub Repository

Full Walkthrough & Lab Setup

In this lab, I’m going to do this in a Windows environment using a Docker image of Parrot OS and run a Windows 10 Enterprise victim machine in Hyper-V. I wasn’t able to get this to work in Windows Sandbox (wouldn’t return password) so I decided to use a Hyper-V image.

I’ll also do things slightly differently than in the initial demo.

Attack Machine Firewall

Make sure you have ports 4444 and port 8080 open for traffic.

Windows 10 Enterprise Setup

Trial Windows 10 Enterprise Hyper-V
https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/

You will need to create a user or change the password of the default user in Windows 10.

For this demo, we will also disable the Anti Virus in the VM. Microsoft Security Essentials is quick to pick up meterpreter payloads. There are ways around this but that’s not what this tutorial is about. Focus!

Default Windows 10 Enterprise password is: “Passw0rd!”

Metasploit Listener in Parrot OS (Docker)

Being that I am a .NET developer, who loves Docker, I want to demonstrate this on Windows using a Docker image of Parrot OS.

Let me explain what some of these docker commands do.
–rm – removes the docker container when it’s exited.
-it – we’ll get an interactive terminal to the container
-v – a bind mount to map in our local parrotos/work folder to the container’s work folder on the root system.
-p 4444:4444 – maps host port 4444 to the containers port 4444.
-p 8080:8080 – maps host port 8080to the containers port 8080.

Start Metasploit Multi Handler to Catch the Shell

Msfvenom Meterpreter Exploit

You’ll need to get your local IP address to your local lan for this demonstration.

For the sake of this demonstration, we’re just going to drop the meterpreter exploit onto the machine and run it so that we can get a hook back to our multi-handler.

I’m going to use the python3 built in webserver to drop the msf.exe. Make sure you are in the work folder.

Stealing Creds with SharpLocker

In order to use SharpLocker with PowerShell, we’re going to need to make the class public. Well, this is the easy way, there are other ways.

Program.cs

Change “static class Program” to “public static class Program”.. and also change “static void Main()” to “public static void Main()”.

Then recompile…

At this point, we should have a Metasploit session started. We’ll assume this is a hypothetical situation where we’ve established a foothold on a machine. Now, we can upload SharpLocker.exe and run it in the memory of PowerShell.

I checked it in the Task Manager by hitting CTRL + ALT + DELETE.

As always! Like, Follow Subscribe!

Facebook Page
YouTube Channel