Wednesday, September 16, 2015

Passing an NTLM Hash to the Browser

In some scenarios, an attacker may have been able to extract Active Directory password hashes but has not been able to successfully crack some or all of them. In this case, it may be possible to perform authentication by merely passing the hash itself, instead of the password. The specific focus of this post, is a pass-the-hash attack on a website which uses NTLM authentication.

(click to zoom)


Under normal circumstances, a user might pull up Internet Explorer and browse to the website which uses NTLM authentication. At that point, if this user is not a domain user, they would typically get a prompt for a username and password. If the user who is logged into the computer is a domain user, they would potentially be automatically logged in using the Windows credentials of the current login session. In the attack, our scenario involves an attacker who has already extracted the victim user's password hash (but not the actual password) and will use it for login. The attacker is logged into Windows with credentials which do not allow them access to the website in question. However, the attacker passes the hash to the current Windows session in order to impersonate the victim user. The attacker then browses to the website using Internet Explorer and is able to automatically authenticate without ever needing the password itself - only the hash. This attack can take place from any computer which is able to access the website. If the website is only accessible internally, as many such NTLM pages are, then the attacker would need to have access to a computer located on the LAN. However, if the website is accessible from the Internet, the attacker could perform the pass-the-hash attack from a remote location outside the network, depending on the individual circumstances. Below are the details on the attack.


TL;DR:
Use wce

Prerequisites:
Extracted hash (extraction process not covered in this post)
Windows computer to perform the attack from
Target website which uses NTLM authentication
Connectivity to the website
wce (Windows Credentials Editor)

wce download link:
https://dl.packetstormsecurity.net/Win/wce_v1_4beta_universal.zip (expect browser/AV blocking)

Tested on:
Windows 7, 64 bit
Internet Explorer 11, 64 bit
wce v1.4beta x64 (Windows Credentials Editor)


Steps:

1. Log onto the Windows computer which will be used for the attack
2. Configure Internet Options:
     a. Security>Custom level for the zone>Automatic logon only in intranet zone
     b. Add website to Local Intranet sites
3. Run wce, give it the hash and tell it to call IE: wce -s <UserName>:<DomainName>:<LMHash>:<NTHash> -c "C:\Program Files\Internet Explorer\iexplore.exe"
4. Browse to the website for the automatic login

As you can see, the attack is very simple. Here are the wce command line switches in use:

-s Changes NTLM credentials of current logon session. Parameters: <UserName>:<DomainName>:<LMHash>:<NTHash>.
-c Run <cmd> in a new session with the specified NTLM credentials.


Hmm...Maybe it's time to re-think that Sharepoint NTLM authentication.






Wednesday, September 9, 2015

Cracking Microsoft Office File Passwords

The best way to crack the password on a Microsoft Office file is by first extracting the hash of the actual password itself. But how to do that? The script office2john.py is really useful for this. It extracts the password hash and converts it to a format that John the Ripper can handle. This is not a tutorial on John, so you'll have to hit up google for that. But I'll give you the basic commands to get the job done. This should work on files from pretty much any version of Office, including xls and xlsx, etc. (Office 2003-2013).

First, you'll need to download office2john.py. You can get it from github here. Or, you can download a copy I put here.

Depending on your cracking strategy, you will likely also need a dictionary file for the attack. I will be using a dummy dictionary file as PoC, but there are lots out there and I won't go into that as a part of this post.

You'll of course also need John installed (google it) and will need a target Office file. I'm doing this from Kali 2.0 on an Excel 2013 test file which I encrypted with a password from Excel. Here are the files/names I used:

dictionary.lst (dictionary file)
office2john.py (extracts hash)
test-crack.xlsx (target)

Okay, here we go. First, we extract the hash:

./office2john.py test-crack.xlsx > test-crack-hash.txt




(click to zoom)


The hash has now been outputted to test-crack-hash.txt and we can begin cracking. The method I used was a dictionary attack:

john --session=xlsx --rules --wordlist=dictionary.lst test-crack-hash.txt

Here is an explanation of the command line options used:

--session=
An optional identifier for you to manage the John session, in case you have multiple sessions. You can make the string after the equals sign be whatever you want.

--rules
Enables wordlist rules

--wordlist=
The dictionary file to use for the attack.

[filename]
The last parameter is the text file containing the extracted hash.

It should show the password when it completes, if your cracking was successful. You can also run the following to show the cracked password, after it completes: john --show test-crack-hash.txt

Now you should be able to open the Office file using the password you cracked. It goes without saying, that this should only be used for ethical purposes, so don't do evil stuff!

Ciao!