Credential Stealers and GINA Interception

Questions and Answers

Which of the following is NOT one of the primary techniques attackers use to deploy malware for stealing credentials?

• Waiting for users to log in and capturing their credentials.
• Dumping stored Windows credentials.
• Logging keystrokes to capture passwords as users type.
• Exploiting vulnerabilities in web browsers. (correct)

In the context of GINA interception, what is the primary role of a malicious DLL such as fsgina.dll?

• To encrypt user credentials before they reach `msgina.dll`.
• To bypass the authentication process entirely and grant unauthorized access.
• To replace `winlogon.exe` and directly handle user authentication.
• To act as an intermediary between `winlogon.exe` and `msgina.dll` to capture user credentials. (correct)

What is the purpose of 'hash dumping' in the context of credential theft?

• To encrypt password databases, rendering them unreadable to attackers.
• To extract password hashes, which can then be cracked or used in 'pass-the-hash' attacks. (correct)
• To bypass password authentication by creating fake user profiles.
• To directly obtain plaintext passwords from user accounts.

Which of the following best describes the function of the Windows API function SetWindowsHookEx in the context of keylogging?

It notifies malware each time a key is pressed, enabling keystroke capture. (A)

In the context of credential stealing, what is the primary difference between 'hooking' and 'polling' as keylogging techniques?

Hooking uses the SetWindowsHookEx function to passively receive keystroke notifications, while polling actively queries the state of the keys. (D)

Why are kernel-based keyloggers considered more advanced and difficult to detect compared to user-space keyloggers?

They operate at a higher privilege level, acting as keyboard drivers and bypassing user-space protections. (A)

What is the significance of the registry location HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL in the context of GINA interception attacks?

It specifies the DLL that winlogon.exe loads during the login process, allowing attackers to insert a malicious DLL. (B)

In the context of 'Pass-the-Hash' (PTH) attacks, what is the primary objective of an attacker?

To use the password hash directly to authenticate to a system or service, without needing the plaintext password. (B)

Which of the following best describes the function of lsass.exe in the context of hash dumping?

It is the Local Security Authority Subsystem Service, which manages security policies and stores password hashes. (D)

Which of the following best describes the role of the Security Account Manager (SAM) in the context of Windows security?

It stores user accounts and their password hashes. (B)

What is the primary function of tools like Pwdump and Pass-the-Hash (PSH) Toolkit in the context of credential theft?

To extract password hashes from the Security Account Manager (SAM). (D)

What is the purpose of analyzing DLLs when dealing with Pwdump variants?

To determine how the hash dumping operates and which DLLs are involved. (B)

How does the whosthere-alt variant of the Pass-the-Hash (PSH) Toolkit differ from standard methods of dumping the SAM?

It injects a DLL into lsass.exe using a completely different set of API functions. (B)

What information does the LsaEnumerateLogonSessions function provide in the context of the TestDump function?

A list of locally unique identifiers (LUIDs), usernames, and domains for each logon session. (B)

What is the primary purpose of the GetAsyncKeyState function in polling keyloggers?

To check if a specific key has been recently pressed. (A)

Why is it important for a polling keylogger to continuously call the GetForegroundWindow function?

To accurately determine which application has focus and log keystrokes accordingly. (B)

Which of the following Windows API functions is most commonly associated with 'hooking' keyloggers?

SetWindowsHookEx (C)

What is the purpose of malware logging the Shift and Caps Lock key states in a keylogger?

To accurately record the case of the typed characters. (D)

In the context of credential theft, GINA interception primarily targets which operating system?

Windows XP (B)

In GINA interception, where are the stolen credentials typically logged to or sent over?

A file (e.g., %SystemRoot%\system32\drivers\tcpudp.sys) or over the network. (D)

Flashcards

Credential Stealers

Attackers deploy malware to steal credentials using three primary techniques: waiting for users to log in and capturing their credentials, dumping stored Windows credentials and logging keystrokes to capture passwords as users type.

GINA Interception

GINA (Graphical Identification and Authentication) Interception is an old but effective attack method in Windows XP, where malware authors exploited functionality meant for third-party authentication.

GINA DLL placement

Attackers place a malicious DLL (e.g., fsgina.dll) between winlogon.exe and msgina.dll, creating a man-in-the-middle attack.

Hash Dumping

Instead of stealing plaintext passwords, attackers dump hashed passwords and either crack them offline or use them in a Pass-the-Hash (PTH) attack.

Pwdump and Pass-the-Hash (PSH) Toolkit

Commonly used tools for hash dumping by injecting a malicious DLL into lsass.exe.

Keylogging

classic form of credential stealing where malware records keystrokes so that an attacker can observe typed data like usernames and passwords.

Kernel-Based Keyloggers

Operate at the kernel level, act as keyboard drivers, and bypass user-space protections.

User-Space Keyloggers

Use Windows API functions to log keystrokes, using hooking or polling.

Hooking (Keyloggers)

Uses the Windows API to notify the malware each time a key is pressed, typically with the SetWindowsHookEx function.

Polling (Keyloggers)

Uses the Windows API to constantly poll the state of the keys, typically using the GetAsyncKeyState and GetForegroundWindow functions.

Study Notes

Credential Stealers Overview

• Attackers use malware to steal credentials
• Credentials can be captured during user login
• Stored Windows credentials, like password hashes, can be pilfered
• Keystrokes can be logged to capture passwords as they are typed

GINA Interception (Windows XP)

• GINA Interception is an older yet effective attack method
• It was originally designed for third-party authentication in Windows XP
• Malware authors have exploited this functionality for nefarious purposes
• GINA is implemented in msgina.dll
• msgina.dll is loaded during login by winlogon.exe
• Attackers insert a malicious DLL (e.g., fsgina.dll) between winlogon.exe and msgina.dll
• This creates a man-in-the-middle attack
• The malicious DLL intercepts user credentials before they reach msgina.dll
• This allows the login process to proceed normally
• Windows offers a registry location where third-party DLLs can be found and loaded
• The registry location is HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL
• Stolen credentials can be logged to a file (%SystemRoot%\system32\drivers\tcpudp.sys) or sent over the network
• fsgina.dll has the ability to capture all user credentials submitted for authentication, log them to disk, or transmit them across a network

Hash Dumping

• Hash dumping is a method for extracting credentials
• Attackers dump hashed passwords rather than stealing plaintext passwords
• The dumped passwords can be cracked offline
• Hashed passwords can be used in a Pass-the-Hash (PTH) attack
• Pwdump and Pass-the-Hash (PSH) Toolkit are tools for hash dumping
• The tools inject a malicious DLL into lsass.exe (Local Security Authority Subsystem Service)
• Once inside lsass.exe, the malware uses undocumented Windows functions
• The functions are used to extract password hashes from the Security Account Manager (SAM)
• Hashes are stored in LM (Lan Manager) and NTLM (New Technology LAN Manager) formats

Pwdump Variant Analysis

• Pwdump programs output the LM and NTLM password hashes of local user accounts
• The hashes are retrieved from the Security Account Manager (SAM)
• The standard pwdump utility uses the DLL lsaext.dll
• Once running, the Pwdump DLL executes inside lsass.exe
• Pwdump uses the GetHash function inside a malicious DLL to extract the hashes
• This extraction uses undocumented Windows function calls
• The Windows function calls allow password hashes to be retrieved in an unencrypted form
• When analyzing pwdump variants, analyzing DLLs is needed to determine how the hash dumping operates
• LoadLibraryA is used to load system DLLs (samsrv.dll, advapi32.dll)
• GetProcAddress is used to find and call key functions
  • SamIConnect connects to the Security Account Manager (SAM)
  • SamrQueryInformationUser retrieves user information
  • SamIGetPrivateData extracts private data (password hashes)

Pass-the-Hash (PSH) Toolkit: whosthere-alt Variant Analysis

• The PSH Toolkit contains programs that dump hashes
• whosthere-alt is the most popular
• whosthere-alt dumps the SAM by injecting a DLL into lsass.exe
• Uses a different set of API functions for injection
• The TestDump function actually performs the hash dumping
• Instead of samsrv.dll, this variant loads secur32.dll
• LsaEnumerateLogonSessions is used to get a list of active logon sessions
• The function provides a list of locally unique identifiers (LUIDs) with user names and domain data
• This list is iterated by the DLL to enumerate distinct accounts

Keystroke Logging

• Keylogging is a method of credential stealing
• Malware records keystrokes to observe data such as usernames and passwords
• Windows malware uses many forms of keylogging
• Keyloggers operate in two main ways

Kernel-Based Keyloggers (Advanced)

• Operate at the kernel level
• Often installed as part of rootkits
• Act as keyboard drivers
• Are difficult to detect
• Can bypass user-space protections like antivirus software

User-Space Keyloggers (More Common)

• Use Windows API functions to log keystrokes
• Two main techniques employed:
  • Hooking uses the Windows API to notify the malware each time a key is pressed via SetWindowsHookEx
  • Polling uses the Windows API to constantly poll the state of the keys via GetAsyncKeyState and GetForegroundWindow functions

Hooking (SetWindowsHookEx)

• Hooking keyloggers leverage the Windows API function SetWindowsHookEx
• This type of keylogger may come packaged as an executable
• May include a DLL file to handle logging that can be mapped into many processes automatically

Polling (GetAsyncKeyState & GetForegroundWindow)

• GetAsyncKeyState checks if a key was recently pressed
• GetForegroundWindow identifies which application has focus (e.g., Notepad, Browser)
• The instructions use a loop to continuously check for key presses
• Calls GetForegroundWindow to log the active window
• Iterates through all keyboard keys
• Calls GetAsyncKeyState to check if a key was pressed
• Checks SHIFT and CAPS LOCK state to log accurately
• Loops continuously, the GetForegroundWindow function is called again to ensure the user is still in the same window

Summary of Credential Stealing Techniques

• GINA Interception
  • Malware inserts a malicious DLL (fsgina.dll) between winlogon.exe and msgina.dll to steal credentials at login
• Hash Dumping
  • Malware extracts hashed passwords from Windows SAM using DLL injection into lsass.exe
• Keystroke Logging
  • Malware records keystrokes using hooking (SetWindowsHookEx) or polling (GetAsyncKeyState)