Intro
This PoC was inspired by RdpThief.
Cisco AnyConnect Secure Mobility Client is used to connect to a VPN and might be configured with RADIUS authentication. If RADIUS authentication is used, users enter their password in this process, which is most probably running in user context. This provides an interesting attack vector if you are interested in the credentials of a user.
The corresponding Windows API calls can be hooked and the password extracted. That was the assumption for the PoC
“Talk is cheap, show me the code”: proof of concept for this password extraction on my git instance.
How this PoC works
- Run the application and intercept all API calls, search for the password.
In this case it is lstrlenW where the password (“VeryPassword”) appears.
-
Intercept the API call with for example Detours.
-
Execute custom code - in this case everything is dumped into some temporary text file - resume execution.
-
Inject PoC DLL into the Cisco AnyConnect process
Everything passed to the Windows API call, including the password (in this case “WOWOPASSWORD”) is dumped into a text file:
