search

cobbr / Covenant

Covenant is a collaborative .NET C2 framework for red teamers.
https://cobbr.io/Covenant.html
GNU General Public License v3.0
4.09k stars 756 forks source link

[Bug] Captured Credentials Containing Colon (':') Incorrectly Stored in Data->Credentials #91

Closed Reboare closed 4 years ago

Reboare commented 4 years ago

Bug

Describe the feature request or bug The results of the command "Mimikatz privilege::debug sekurlsa::logonpasswords" will display stored credentials, which are then stored within the data field. If the password contains a colon character ':', only characters preceding this will be stored within Data->Credentials.

To Reproduce Steps to reproduce the behavior:

  1. Create an account with a password containing a colon character on the target machine
  2. On a grunt, run the command Mimikatz privilege::debug sekurlsa::logonpasswords
  3. Click on 'Data'
  4. Click on 'Credentials'
  5. See that the credentials have been captured with an incorrect password stored

Expected behavior The full password should be stored within Covenant Server Information:

Browser Information:

Target Information (System that implant is running on):

Other Information: The offending code appears to be in line 128 @ https://github.com/cobbr/Covenant/blob/dev/Covenant/Models/Covenant/CapturedCredential.cs

                                {
                                    password = line.Split(":")[1].Trim();
                                }
cobbr commented 4 years ago

Great catch @Reboare ! And special thanks for hunting down the cause 🙂

Fixed in 175df59aa7fbd93de2fd4dec13838cf6f5becf50