Microsoft has patched only recent versions Windows against a dangerous hack that could allow attackers to steal Windows NTLM password hashes without any user interaction.
The hack is easy to carry out and doesn’t involve advanced technical skills to pull off. All the attacker needs to do is to place a malicious SCF file inside publicly accessible Windows folders.
Once the file has been placed inside the folder, it executes due to a mysterious bug, collects the target’s NTLM password hash, and sends it to an attacker-configured server. Using publicly available software, an attacker could crack the NTLM password hash and later gain access to the user’s computer.
Such a hack would allow an attacker that has a direct connection to a victim’s network to escalate access to nearby systems.
Not all computers with shared folders are vulnerable
Computers with shared folders protected by a password are safe. Since this is the default option in Windows, most users aren’t vulnerable to this attack.
Nonetheless, users in enterprise environments, schools, and other public networks often share folders without a password due to convenience, leaving many systems open for attacks.
This vulnerability has 100% attack vector for users who have unprotected shared folder without a password. share folder protected users are safe by this dangerous attack and since windows have default shared folder protection will protect most of the Windows user.
How Does Hackers Steal the NTLM hashes
Initially, the attacker will discover the unprotected share folder target victim machine and share the malicious SCF file(Shell Command File) to execute some basic tasks.
Since we already have few of SCF file attacks which required manual user interaction to successfully execute the SCF file for Performing some malicious activities but this flow has required no user interaction.
Here Attacker can be used some traditional method via email to send the malicious SCF file and install into victim machine.
Basic SCF File structure that contains the shell. command file share ad task bar information
This Malicious SCF File will be executed using the Metasploit module to capture the NTLM hash form the victim’s machine.
root@sysadminjd:~# cat test.scf
root@sysadminjd:~# msfconsole -q
msf >use auxiliary/server/capture/smb
msf auxiliary(smb) > set JOHNPWFILE /tmp/smbhash.txt
JOHNPWFILE = /tmp/smbhash.txt
msf auxiliary(smb) > exploit -j
[*] Auxiliary module running as background job
[*] Server started.
Once attackers Craft the NTLM hash form the Victims machine they will use some Public availble tool such as John the Ripper to crack the NTLM hashes and redrive the Windows Login Credentials.
According to the Researcher,Diego who Discovered this critical vulnerability have suggested some useful mitigation techniques.
- Microsoft created a sort of patch to this vulnerability consisting in changing two registry keys to disable NTLM on the system. This registry keys are available only on Windows 10 and Windows Server 2016, and Microsoft has no intentions to backport to the other versions.
- Another issue is that disabling NTLM will break a lot of environments, and that’s a huge concern for them.
- My suggestion is to use strong passwords, after the attack we need to crack the hash, that can take a lot of time if the password is complex, and can be frustrating for the attacker.
- The better approach, don’t share folders without passwords.
Microsoft patched the attack vector in this month’s Patch Tuesday via the ADV170014 security advisory. The patch is only for Windows 10 and Windows Server 2016 users.
Older Windows versions remain vulnerable to this attack because the registry modifications are not compatible with older versions of the Windows Firewall.