ThievingFox: Post-Exploitation Toolkit for Credential Extraction

ThievingFox is a powerful collection of post-exploitation tools designed to extract credentials from various password managers and Windows utilities.

It employs advanced techniques such as process injection and internal function hooking to achieve its objectives. Below is a detailed guide on its installation, supported targets, usage, and modules.

Installation

Linux

1.Install Rustup: Follow the instructions at rustup.rs.

2.Install mingw-w64:

apt install mingw-w64

3.Add Rust Windows Targets:

rustup target add x86_64-pc-windows-gnu

rustup target add i686-pc-windows-gnu

4.Install Mono and Nuget: Follow instructions at Mono Project.

apt install nuget

5.Install Python Dependencies:

pip install -r client/requirements.txt

Note: ThievingFox requires Python version 3.11 or later.

Windows

1.Install Rustup: Follow the instructions at rustup.rs.

2.Add Rust Windows Targets:

rustup target add x86_64-pc-windows-msvc

rustup target add i686-pc-windows-msvc

3.Install .NET Development Environment:

4. • Open Visual Studio.

   • Navigate to Tools > Get Tools And Features.

   • Install .NET desktop development.

4.Install Python Dependencies:

pip install -r client/requirements.txt

5.KeePass Module Requirement:

• • Ensure msbuild is available in the PATH by running the client from a Visual Studio Developer PowerShell (Tools > Command Line > Developer PowerShell).

Supported Targets

ThievingFox has been tested on the following Windows versions:

• Windows Server 2022, 2019, 2016, 2012R2

• Windows 10

• Windows 11

Note: Modules may not function correctly on unsupported versions.

Injection Methods by Application

Usage

Overview of Modules

ThievingFox includes three main modules: poison, cleanup, and collect. Each module serves a specific purpose in the exploitation lifecycle.

1. Poison Module

The poison module injects malicious libraries into target applications to enable credential extraction.

Key Options:

• Target specific applications (e.g., KeePass, KeePassXC, mstsc).

• Use --all to target all supported applications.

• For KeePass and KeePassXC, specify custom installation paths with options like --keepass-path or --keepassxc-path.

Example Usage:

python3 client/ThievingFox.py poison --all target_machine_or_range

Important Notes:

• Use the --tempdir option to specify a temporary directory for DLLs.

• Clean the cache if you change the temporary directory.

2. Cleanup Module

The cleanup module removes artifacts created during poisoning and reverts registry modifications.

Key Features:

• Cleans up both HKCU and HKCR hives for applications that support COM hijacking.

• Does not remove extracted credentials from the remote host.

Example Usage:

python3 client/ThievingFox.py cleanup --all target_machine_or_range

Important Notes:

• If an application is running during cleanup, injected DLLs may not be deleted but injection will be disabled for future launches.

3. Collect Module

The collect module retrieves extracted credentials from the remote host and decrypts them.

Key Features:

• Deletes collected files from the remote host after retrieval.

• Stores decrypted data in client/output/.

Example Usage:

python3 client/ThievingFox.py collect --all target_machine_or_range

Cautions and Limitations

1. Inline hooking and library injection are inherently unsafe and may cause application crashes or instability.

2. Always use the cleanup module to ensure no residual artifacts remain after testing.

3. The tool assumes local administrator privileges and unfiltered SMB access on the target machine.

4. Modules have only been tested on specified Windows versions; compatibility with other versions is not guaranteed.

By following this guide, you can effectively use ThievingFox for penetration testing or research purposes while minimizing risks to target systems. You can learn more and Download ThievingFox in GitHub.

Upgrade Your Cybersecurity Skills EHA: Learn 150+ Practical Cyber Security Courses Online With Life Time Access - Enroll Here