Stealing Windows Credentials of Remote PC with MS Office Document

Today you will found something incredible in this article which is related to a newly lunched script named as “WORD STEAL” that can define your hacking skill more and more. This script will create a POC that will steal NTLM hashes from a remote computer.

Microsoft Word has the ability to include images from remote locations. This is an undocumented feature but was found used by malware creators to include images through http for statistics. We can also include remote files to an SMB server and the victim will authenticate with his logins credentials. This is very useful during a Pentest because allows you to steal credentials without triggering any alerts and most of the security apps do not detect this.

Let’s Breach

Attacker: Kali Linux

Target: Windows 10 (Microsoft Word 2007)

First, we need to download it from Github, open the terminal in your Kali Linux and type following command.

Now open the downloaded folder word steal where you will get a python script “main.py” give all permissions to the main.py script if required.

As the author has described that this script will convert an image or say .jpg into .rtf (Microsoft word file) The Rich Text Format is a proprietary document file format with published specification developed by Microsoft Corporation for cross-platform document interchange with Microsoft products.  

After then download an image and save it inside Wordsteal folder, since I have an image “1.jpg” at this moment we require to type the following command which generates .rtf file that steals NTLM hashes from a remote computer.

Above command will generate the .rtf file as you can figure out this in the given screenshot after then send the 1.rtf file to remote PC.

When victim will open 1.rtf (as Microsoft word file) in his system, on another hand attack will receive NTLM hashes.

Inside word steal, we have stolen credentials without triggering any alerts which you can observe in the following image.

Now use password cracker tool john the ripper to crack hashes in password_netntlmv2 file or type following command

Cool!!! We can see the victim’s credential clearly RAJ: 123 that might be further use for login.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

3 Comments Stealing Windows Credentials of Remote PC with MS Office Document

  1. John

    I am trying to perform a MITM attack, for pentesting purpose in my company.
    In this attack i have access to the wifi,
    I tried arpspoofing and dnspoofing but due to hsts the mitm attacks are not possible,
    is there any workaround for hsts

    Ps i tried mitmf

    Reply
    1. peter

      Hello john if you trying to perform MITM attack on LAN you can use MITMF to bypass hsts and it shoud work well … also you can try Bettercap and im shure you will have success rate on your pentesting .. take care buddy

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *