Fiddler extension: Credential Stealer

In 2016, I gave a talk at DEF CON 24 entitled Fiddler on the Roof, a crash course in Fiddler, an active proxy for Windows. In it, I focused on three different sorts of folks who would use Fiddler:

  • Software developers, who have to ask “what is my application doing?”
  • System administrators/“Blue Teamers” who want to audit and define what an application does in normal (or non-normal) operation
  • Reverse engineers/“Red Teamers” who want to attack software or websites in a predictable fashion.

As a part of my talk, I wanted to explain how to extend Fiddler and create stream processors to intercept incoming information. Thus, the Cred Stealer was built. It’s dumb, but it works incredibly effectively as an example of how to get information out of Authentication headers and POST data.