Getting that first Foothold - Stealing NTLMv2 hashes with ease

Well it’s already been a month since my last post, and that’s just way to long. Time gets ahead of me these days, especially being as interested in so many areas of Infosec as I am. Today I want to discuss a tried and true method of securing that first potential foothold on the target network for your pentest campaign. Does this always work? Absolutely not. However, you had better believe if certain items are in order it’s highly probable you can carry this out undetected and with a few NTLMv2 hashes under your belt.
好吧,距离我上一篇文章已经一个月了,这已经很长了。这些天来,时间在我面前,尤其是像我一样对信息安全的许多领域感兴趣。今天,我想讨论一种久经考验的方法,以确保您的渗透测试活动在目标网络上的第一个潜在立足点。这总是有效吗?绝对不行。但是,您最好相信,如果某些项目井井有条,那么您很有可能可以在不被发现的情况下执行此操作,并且使用一些 NTLMv2 哈希值。

First things first, I don’t want to explain what an NTLMv2 hash is. There are copius amounts of information on the web and of course ChatGPT can elaborate even more on the specifics of the authentication challenge-response based protocol.
首先,我不想解释什么是 NTLMv2 哈希。网络上有大量的信息,当然,ChatGPT 可以更详细地阐述基于身份验证质询-响应的协议的细节。

We are going to focus more on the actual attack methodology behind stealing these lovely hashes. Let’s start with some assumptions. You will need at least ONE of these conditions to be true for this to work:

  • Your target user base is using the Desktop Outlook client
    您的目标用户群正在使用桌面 Outlook 客户端
  • You know some user’s company email addresses
  • You are physically present, as in on the premises. OR… you are on the network via VPN, positioned in such a way that your attacker PC is on the same VLAN as the target PCs VLAN
    您身临其境,就像在场所一样。或。。。您通过 VPN 连接到网络上,其定位方式是攻击者 PC 与目标 PC VLAN 位于同一 VLAN 上
  • The target network firewall does NOT block ALL outbound ports 445, 139, 5353, and 5355 (Not entirely necessary for this write-up but just keep this in mind for later) 😺
    目标网络防火墙不会阻止所有出站端口 445、139、5353 和 5355(本文并非完全必要,但请记住这一点以备后用) 😺

Stage 1 - Setup 第 1 阶段 - 设置

So, here’s how it begins. You will want to install this extention for Google Chrome to follow along on this particular route to get your coveted NTLMv2 hash: Insert HTML by Designmodo Chrome Extension
所以,这是它的开始。您将需要安装此扩展程序,以便 Google Chrome 按照以下特定路线进行操作,以获得您梦寐以求的 NTLMv2 哈希值: 通过Designmodo Chrome扩展程序插入HTML

Also be sure to have Wireshark installed too. In the event you are on-site or using VPN, I’d like to show you what you can see when this attack is carried out. That will come a little later in the writeup.
另外,请确保也安装了 Wireshark。如果您在现场或使用 VPN,我想向您展示在进行此攻击时可以看到的内容。这将在稍后的文章中出现。

Once you have both Wireshark and Designmodo installed, go to your gmail account (I’m assuming you have that too 😸 ) and create a new email message

Click on this envelope icon in the bottom, next to the big blue Send button:
Getting that first Foothold - Stealing NTLMv2 hashes with ease

Next, type in the fake UNC path to your non-existent image: Getting that first Foothold - Stealing NTLMv2 hashes with ease
接下来,键入不存在的图像的假 UNC 路径: Getting that first Foothold - Stealing NTLMv2 hashes with ease
 Getting that first Foothold - Stealing NTLMv2 hashes with ease

Then, Choose Insert HTML 然后,选择 Insert HTML Getting that first Foothold - Stealing NTLMv2 hashes with ease

The body of your email message should have a broken image inside it, like so:
Getting that first Foothold - Stealing NTLMv2 hashes with ease

Okay, we’re almost ready to send this now. But before we do, I want you to know that the user does not even have to fully open the email for this to work. They only merely have to Preview it in Outlook and this works immediately!

  • Go ahead and fire up Wireshark, select your sniffing interface, and start listening for traffic…if you are on-site or using VPN and on the same VLAN as the customer user base.
    继续启动 Wireshark,选择您的嗅探界面,然后开始监听流量......如果您在现场或使用 VPN,并且与客户用户群位于同一 VLAN 上。

  • Also, we will need to load a tool called Responder which can intercept LLMNR, NBNS, and MDNS traffic. This needs to run on the same network as the victim.
    此外,我们还需要加载一个名为 Responder 的工具,它可以拦截 LLMNR、NBNS 和 MDNS 流量。这需要与受害者在同一网络上运行。

    Here’s the link to the tool: Responder for Linux
    下面是该工具的链接:Responder for Linux

  • Finally, you can now send that email to your target’s email address and we will move on to phase 2 of the attack!
    最后,您现在可以将该电子邮件发送到目标的电子邮件地址,我们将继续进行攻击的第 2 阶段!

Stage 2 - Infiltration 第 2 阶段 - 渗透

When your email arrives, the target user will see what is captured in the below image. Be sure to name the uncpath something realistic as they will be able to see this in the email preview:
当您的电子邮件到达时,目标用户将看到下图中捕获的内容。请务必将 uncpath 命名为一些现实的东西,因为他们将能够在电子邮件预览中看到这一点:
Getting that first Foothold - Stealing NTLMv2 hashes with ease

On your Linux Box, you should see a captured NTLMv2 hash assuming the user interacts with your email! Here’s what mine looks like. Keep in mind I already captured this hash so it shows a different message but trust me, it worked:
在您的 Linux Box 上,您应该会看到捕获的 NTLMv2 哈希值,假设用户与您的电子邮件交互!这是我的样子。请记住,我已经捕获了这个哈希值,因此它显示了不同的消息,但相信我,它起作用了:
Getting that first Foothold - Stealing NTLMv2 hashes with ease

And Wireshark… 还有 Wireshark......

Do a Control + F and type in silent or whatever word you used in your UNC filepath:
执行 Ctrl + F 并键入 silent 您在 UNC 文件路径中使用的任何单词:
Getting that first Foothold - Stealing NTLMv2 hashes with ease

You can see your exact packet contents after the target user interacted with your email. I say interacted…remember, they don’t even need to fully open it, as in double clicking on it. Just previewing it is enough

From here, you can crack the password using hashcat or relay it to another computer, the skies the limit!
从这里,您可以使用 hashcat 破解密码或将其中继到另一台计算机,天空是极限!

Addendum 补遗

You can also send the hash outside of the target company network to a device you control on an entirely different ISP, AWS, Azure, etc. This would mean you don’t have to be on-premesis at all. HOWEVER, the company firewall MUST ALLOW the ports for these protocols outbound for you to receive the hash.
您还可以将哈希值发送到目标公司网络之外的设备,这些设备由您在完全不同的 ISP、AWS、Azure 等上控制。这意味着您根本不需要在前期。但是,公司防火墙必须允许这些协议的端口出站,以便您接收哈希。

I don’t have time to demo this today, but I can show you sometime if I get enough people asking for a demonstration. 😸

Lessons Learned 经验 教训

I tried blocking all images in Outlook and this attack still works. I’m shocked actually. Given the right circumstances, this is quite trivial to carry out. Long story short:

  • Disable Legacy protocols such as LLMNR, NBNS, AND MDNS.
    禁用 LLMNR、NBNS 和 MDNS 等传统协议。
  • Use the highest available SMB/NTLM security offering. Such as this one:** Send NTLMv2 responses only. Refuse LM & NTLM**
    使用最高可用的 SMB/NTLM 安全产品。例如这个:** 仅发送 NTLMv2 响应。拒绝 LM 和 NTLM**
  • Block the corresponding ports for LLMNR, NBNS, and MDNS outbound on your firewall
    在防火墙上阻止 LLMNR、NBNS 和 MDNS 出站的相应端口
  • Figure out how to make Outlook Desktop client better or turn off email previews 😕
    了解如何改进 Outlook 桌面客户端或关闭电子邮件预览 😕

    Know of other ways to combat this attack? Feel free to comment below or hit me up on X! thanks everyone!
    知道其他方法可以对抗这种攻击吗?请随时在下面发表评论或在 X 上与我联系!谢谢大家!

原文始发于G3tSyst3m's Infosec Blog:Getting that first Foothold - Stealing NTLMv2 hashes with ease

版权声明:admin 发表于 2023年10月31日 上午8:46。
转载请注明:Getting that first Foothold - Stealing NTLMv2 hashes with ease | CTF导航