Thursday, February 22, 2024

Hackers Can Steal Your Windows Login Credential Without User Interaction using New Windows OS Flow

Newly discovered dangerous Vulnerability in NTLM Architecture allows hackers to steal Windows NTLM password without any user interaction in all the  Recent Version Windows OS.

NT LAN Manager (NTLM) is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product.

This vulnerability allows attackers can able to steal the NTLM hashes remotely without any user interaction using malicious SCF file that has to be placed in unprotected users windows machine.


This vulnerability has 100% attack vector for users who have unprotected shared folder without a password. share folder protected users are safe by this dangerous attack and since windows have default shared folder protection will protect most of the WIndows user.

Worst case is that, this is normal behavior in offices, schools, hospitals and almost all Windows environments, people share folders left open to sharing music, photos, and documents.

How Does Hackers Steal the NTLM hashes

Initially, the attacker will discover the unprotected share folder target victim machine and share the malicious  SCF file(Shell Command File)  to execute some basic tasks.

Since we already have few of  SCF file attacks which required manual user interaction to successfully execute the SCF file for Performing some malicious activities but this flow has required no user interaction.

Here Attacker can be used some traditional method via email to send the malicious SCF file and install into victim machine.

Basic SCF File structure that contains the shell. command file share ad task bar information


This Malicious SCF File will be executed using the Metasploit module to capture the NTLM hash form the victim’s machine.

root@sysadminjd:~# cat test.scf
root@sysadminjd:~# msfconsole -q
msf >use auxiliary/server/capture/smb
msf auxiliary(smb) > set JOHNPWFILE /tmp/smbhash.txt
JOHNPWFILE = /tmp/smbhash.txt
msf auxiliary(smb) > exploit -j
[*] Auxiliary module running as background job
[*] Server started.

Once attackers Craft the NTLM hash form the Victims machine they will use some Public availble tool such as John the Ripper  to crack the NTLM  hashes and redrive the Windows Login Credentials.

According to the  Researcher,Diego who Discovered this critical vulnerability have suggested some useful mitigation techniques.

  1. Microsoft created a sort of patch to this vulnerability consisting in changing two registry keys to disable NTLM on the system. This registry keys are available only on Windows 10 and Windows Server 2016, and Microsoft has no intentions to backport to the other versions.
  2. Another issue is that disabling NTLM will break a lot of environments, and that’s a huge concern for them.
  3. My suggestion is to use strong passwords, after the attack we need to crack the hash, that can take a lot of time if the password is complex, and can be frustrating for the attacker.
  4. The better approach, don’t share folders without passwords, that’ll do the trick.

He has been reported this vulnerability on MAY 2017 and  finally Microsoft patch this Vulnerability in Oct 2017.

The patch is only for Windows 10 and Windows Server 2016 users. Older Windows versions remain vulnerable to this attack because the registry modifications are not compatible with older versions of the Windows Firewall.


Latest articles

Earth Preta Hackers Abuses Google Drive to Deploy DOPLUGS Malware

Threat actors abuse Google Drive for several malicious activities due to its widespread use,...

Swiggy Account Hacked, Hackers Placed Orders Worth Rs 97,000

In a startling incident underscoring the growing menace of cybercrime, a woman's Swiggy account...

Beware of VietCredCare Malware that Steals businesses’ Facebook Accounts

A new cybersecurity threat targeting Facebook advertisers in Vietnam, known as VietCredCare, has emerged....

Google Chrome 122 Update Addresses Critical Security Vulnerabilities

Google has recently unveiled Chrome 122, a significant milestone for the widely used web...

New Malicious PyPI Packages Use DLL Sideloading In A Supply Chain Attack

Researchers have discovered that threat actors have been using open-source platforms and codes for...

New Mingo Malware Attacking Linux Redis Servers To Mine Cryptocurrency

The malware, termed Migo by the creators, attempts to infiltrate Redis servers to mine cryptocurrency on...

Security Onion 2.4.50 Released for Defenders With New Features

Security Onion Solutions has recently rolled out the latest version of its network security...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles