In an effort to help make us all more secure, VDA decided to release a pentest technique, that we discovered a while ago. We notified Microsoft many months ago of this technique, and they have been a great partner as always, in quickly working to mitigate the endless offensive tactics attackers are constantly looking for.
Techniques for stealing Windows credentials, by abusing the Server Message Block (SMB) protocol, have been around since almost the beginning of Windows. Over time, more and more researchers and malicious actors have figured out new ways to leak Windows credentials. Some recent examples include Bad PDF, Microsoft Outlook OLE, and numerous others. These techniques can be very handy when doing penetration testing.
The impact of this fundamental issue with SMB can be serious. Either cracking the password hashes to obtain access to user plain-text credentials or using Pass-the-Hash methods to attack authentication endpoints that support NTLM are possible.
During VDA Labs penetration testing engagements, we typically abuse NTLM credentials in one or several ways to help us achieve our objectives. Recently we found a couple new ways to leak NTLM credentials and figured we would help raise awareness about this issue by publishing this blog.
Stealing Windows Hashes with RDP Files
The RDP (.rdp) file format is used to save settings for connecting to Remote Desktop Protocol (RDP) services, typically allowing remote access to Windows machines. While researching this file format, VDA found this great list of possible settings that are supported. A setting that quickly piqued our interest, when considering Windows credential leaking issues, was the “RemoteApplicationIcon” setting. By placing a malicious UNC/SMB path in this setting, and configuring a few other “RemoteApplicaiton” settings, it was possible to leak Windows credentials over SMB to a remote server of our choice. A template RDP file that can be used to exploit this issue is shown below.
To exploit this issue, use a text editor to create an RDP (.rdp) file with the settings shown, then deliver the RDP file to a target, which will then leak the target’s credentials when the file is opened on a Windows machine. The following screen capture shows credentials being captured on a remote server using the Impacket SMBServer toolset.
Any number of social engineering techniques could be used to convince a target to open a weaponized RDP file. For example, if this file is embedded as an OLE object in the latest version of Microsoft Word on Windows 10, the target is presented with a single prompt to open, which then results in credentials being leaked. The following screen capture demonstrates this using a simple “Open this encrypted email” social engineering ruse.
Stealing Windows Credentials with Internet Explorer 11
Recently, John Page released an awesome finding in Internet Explorer 11 that allows XML External Entity Injection (XXE) to read files from Windows hosts. The Proof of Concept provided does a good job demonstrating the initial issue (reading files from the local hard drive), but we wanted to take it a little further by using this vulnerability to leak Windows credentials over SMB to a remote malicious server. While this vulnerability is not as impactful as a client-side code execution exploit chain in IE 11, it can still be abused to do some serious damage.
The basic MHTML template file we used to exploit this XXE and leak Windows credentials is show below.
By pointing this at our own malicious SMB service, delivering the MHTML file to a target machine by social engineering or other means, we were able to again capture credential hashes when the MHTML file is opened. The following screen captures show a malicious MHTML file being opened, and credentials being captured on a remote server using the Impacket SMBServer toolset.
Some Thoughts on Mitigating Windows Credential Theft
At a high level, one of the most helpful things to do is configure your external network perimeter to stop SMB connections from leaving your network (TCP ports 139/445). This way, even if an attacker triggers this issue on a target workstation, the fileshare connection leaving your network will be blocked. A resource that Microsoft provides on related topics is available for download, and can help with mitigating these types of issues on internal networks. At VDA Labs, we check extensively for Windows credential theft issues during penetration testing engagements and can also help lock networks down. Let us know if we can help!