|
| 1 | +# 🔐 GetWindowsCredentials |
| 2 | + |
| 3 | +A Windows credential harvesting tool that leverages the legitimate Windows API to prompt users for their credentials. |
| 4 | + |
| 5 | +[](https://www.microsoft.com/windows) |
| 6 | +[](https://isocpp.org/) |
| 7 | +[](LICENSE) |
| 8 | + |
| 9 | +## Overview |
| 10 | + |
| 11 | +GetWindowsCredentials uses the Windows API function [CredUIPromptForWindowsCredentialsW](https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforwindowscredentialsw) to display a native Windows credential dialog box. When users enter their credentials, the tool validates them against the system and saves successful login attempts to a file. |
| 12 | + |
| 13 | + |
| 14 | + |
| 15 | +## Features |
| 16 | + |
| 17 | +- **Native Windows Dialog** - Uses legitimate Windows credential UI |
| 18 | +- **Credential Validation** - Verifies credentials against the domain/local system |
| 19 | +- **Persistent Prompting** - Continues to prompt until valid credentials are entered |
| 20 | +- **Domain Support** - Handles both domain and local accounts |
| 21 | +- **Silent Logging** - Saves credentials to a log file without user notification |
| 22 | + |
| 23 | +## How It Works |
| 24 | + |
| 25 | +1. Displays a Windows credential prompt using `CredUIPromptForWindowsCredentialsW` |
| 26 | +2. Captures username, password, and domain information |
| 27 | +3. Validates credentials using `LogonUserW` API |
| 28 | +4. If validation fails, prompts again until successful |
| 29 | +5. Saves valid credentials to `C:\Windows\Temp\creds.log` |
| 30 | + |
| 31 | +## Technical Details |
| 32 | + |
| 33 | +### APIs Used |
| 34 | + |
| 35 | +- `CredUIPromptForWindowsCredentialsW` - Display credential dialog |
| 36 | +- `CredUnPackAuthenticationBufferW` - Extract credentials from buffer |
| 37 | +- `CredUIParseUserNameW` - Parse username and domain |
| 38 | +- `LogonUserW` - Validate credentials against the system |
| 39 | + |
| 40 | +### Output Format |
| 41 | + |
| 42 | +Credentials are saved in the following format: |
| 43 | +``` |
| 44 | +[+]Username: DOMAIN\username , Password: password123 |
| 45 | +``` |
| 46 | + |
| 47 | +## Building |
| 48 | + |
| 49 | +### Prerequisites |
| 50 | + |
| 51 | +- Visual Studio 2015 or later |
| 52 | +- Windows SDK |
| 53 | +- C++ compiler with Windows API support |
| 54 | + |
| 55 | +### Compilation |
| 56 | + |
| 57 | +**Using Visual Studio:** |
| 58 | +1. Open Developer Command Prompt |
| 59 | +2. Navigate to the source directory |
| 60 | +3. Run the following command: |
| 61 | + |
| 62 | +```cmd |
| 63 | +cl /EHsc GetWindowsCredentials.cpp /link Credui.lib |
| 64 | +``` |
| 65 | + |
| 66 | +**Using MinGW:** |
| 67 | +```bash |
| 68 | +g++ GetWindowsCredentials.cpp -o GetWindowsCredentials.exe -lCredui -mwindows |
| 69 | +``` |
| 70 | + |
| 71 | +## Usage |
| 72 | + |
| 73 | +### Basic Execution |
| 74 | + |
| 75 | +```cmd |
| 76 | +GetWindowsCredentials.exe |
| 77 | +``` |
| 78 | + |
| 79 | +The program will: |
| 80 | +1. Display a Windows credential dialog |
| 81 | +2. Wait for the user to enter credentials |
| 82 | +3. Validate the credentials |
| 83 | +4. Save successful logins to `C:\Windows\Temp\creds.log` |
| 84 | +5. Repeat if validation fails |
| 85 | + |
| 86 | +### Customization |
| 87 | + |
| 88 | +You can modify the following constants in the source code: |
| 89 | + |
| 90 | +```cpp |
| 91 | +// Dialog text |
| 92 | +WCHAR baseCaption[] = L"Enter current user credentials:"; |
| 93 | +WCHAR pszCaptionText[] = L"Your screen has been locked for security"; |
| 94 | + |
| 95 | +// Output file location |
| 96 | +WCHAR saveAs[] = L"C:\\Windows\\Temp\\creds.log"; |
| 97 | +``` |
| 98 | + |
| 99 | +## Code Structure |
| 100 | + |
| 101 | +### Main Components |
| 102 | + |
| 103 | +**WriteCred Function** |
| 104 | +- Writes captured credentials to a log file |
| 105 | +- Formats output with username and password |
| 106 | + |
| 107 | +**WinMain Function** |
| 108 | +- Main entry point |
| 109 | +- Displays credential prompt |
| 110 | +- Validates credentials |
| 111 | +- Loops until valid credentials are provided |
| 112 | + |
| 113 | +### Key Variables |
| 114 | + |
| 115 | +- `username` - Captured username (max 514 characters) |
| 116 | +- `password` - Captured password (max 256 characters) |
| 117 | +- `domain` - Captured domain (max 337 characters) |
| 118 | +- `bLoginStatus` - Validation result flag |
| 119 | + |
| 120 | +### Why Credentials Are Validated |
| 121 | + |
| 122 | +The tool validates credentials using `LogonUserW` to: |
| 123 | +- Ensure captured credentials are legitimate |
| 124 | +- Avoid logging incorrect passwords |
| 125 | +- Simulate real-world attack scenarios |
| 126 | +- Demonstrate the full credential harvesting process |
| 127 | + |
| 128 | +### Loop Behavior |
| 129 | + |
| 130 | +The program uses a `goto` statement to create a loop that continues prompting until valid credentials are provided. This simulates a locked screen scenario where the user must authenticate to proceed. |
| 131 | + |
| 132 | +## References |
| 133 | + |
| 134 | +- [CredUIPromptForWindowsCredentialsW API](https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforwindowscredentialsw) |
| 135 | +- [CredUnPackAuthenticationBufferW API](https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-credunpackauthenticationbufferw) |
| 136 | +- [LogonUserW API](https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-logonuserw) |
| 137 | + |
| 138 | + |
| 139 | +## License |
| 140 | + |
| 141 | +This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details. |
0 commit comments