How to steal Windows login credentials abusing the Server Message Block (SMB) protocol
Hackers, cybercriminals, and cyber spies continuously devise new techniques to improve their attacks, in some cases, these methods are first detected when threat actors use them in the wild.
Typically, weaponized documents are crafted to exploit specific vulnerabilities in applications running on victims’ machines, but in some cases, they can leverage native features of the software to start the attack chain.
In this post, we will explore the main techniques to steal Windows credentials by abusing the Server Message Block (SMB) protocol.
Weaponized PDF files
One of the first cases I desire to analyze was first reported by the Assaf Baharav, a security expert at Check Point.
Baharav explained that weaponized PDF files could be used by threat actors to steal Windows credentials, to be precise the associated NTLM hashes, without any user interaction.
The researcher explained that the attackers just need to trick victims into opening a specially crafted file.
Rather than exploiting a vulnerability in Microsoft Word files or RTF files, threat actors could take advantage of features natively found in the PDF standard to steal NTLM hashes.
“The attacker can then use this to inject malicious content into a PDF and so when that PDF is opened, the target automatically leaks credentials in the form of NTLM hashes,” wrote Baharav.
The structure of a PDF file is composed of several objects, such as Boolean values, Integers and real numbers, strings, names, arrays, streams, the null object, and dictionaries.
A dictionary object is a table containing pairs of objects, called entries (a key and a value). The researcher used a specially crafted PDF document for his proof-of-concept by injecting specific content in the above entries.
“By injecting a malicious entry (using the fields described above together with his SMB server details via the “/F” key), an attacker can entice arbitrary targets to open the crafted PDF file which then automatically leaks their NTLM hash, challenge, user, hostname and domain details,” added the expert.
When a victim would open the PDF document, it would automatically contact a remote SMB server controlled by the attacker, but don’t forget that SMB requests include the NTLM hash for the authentication process.
“The NTLM details are leaked through the SMB traffic and sent to the attacker’s server which can be further used to cause various SMB relay attacks,” continues the expert.
With this trick the attacker can obtain the NTLM hash, then use one of the tools available online to crack it and obtain the original password.
Such kind of attack is stealth; it is impossible for the victims to notice any abnormal behavior.
Figure 1 – SMB traffic
Similar techniques leveraging SMB requests were used in the past by several threat actors, but with other types of documents or OS features (i.e., Office documents, shared folders authentication, Outlook)
According to Check Point, almost any Windows PDF-viewer is affected by this security flaw and will reveal the NTLM credentials.
Baharav successfully tested the attack on Adobe Acrobat and FoxIT Reader.
The experts followed a 90 days disclosure policy by notifying both Adobe and Foxit the vulnerability.
Adobe replied that will not fix the issue because it considers the flaw linked to the OS, meanwhile FoxIT still has not responded.
Adobe experts are referring to Microsoft Security Advisory ADV170014, released in October 2017 that implements a mechanism and provides instructions on how users could disable NTLM SSO authentication on Windows operating systems.
Below the reply from Adobe:
“Thank you for checking in on this case. Microsoft issued an optional security enhancement  late last year that provides customers with the ability to disable NTLM SSO authentication as a method for public resources. With this mitigation available to customers, we are not planning to make changes in Acrobat. ”
Stealing Windows credentials via Shared folder access
In October 2017, Microsoft fixed a severe flaw that allowed attackers to steal Windows NTLM password hashes without any user interaction, the attackers just needed to place a specially crafted Shell Command File (SCF file) inside publicly accessible Windows folders to trigger the vulnerability.
At the time, Microsoft only released security updates for recent Windows versions (Windows 10 and Server 2016).
Security advisory warned that once the attacker has placed the file in the folder, it was executed due to the security flaw, then it was used to gather the machine NTLM password hash and send it back to the attacker’s server.
Then the attacker can easily crack the NTLM password hash to access the victim’s computer. The hack was reported to Microsoft in May by the Columbian security researcher Juan Diego.
“It is a known issue that Microsoft NTLM architecture has some failures; hash stealing is not something new, it is one of the first things a pentester tries when attacking a Microsoft environment. However, most of these techniques require user intervention or traffic interception to fulfill the attack,” wrote Juan Diego.
“These new attacks require no user interaction, everything is done from the attacker’s side, but of course, there are some conditions that need to be met to be successful with this attack.”
Older Windows versions remain vulnerable because the registry modifications are not compatible with older versions of the Windows Firewall.
“Accordingly, to Microsoft, all Windows versions since 3.11 till Windows 10, Desktop and server are vulnerable to this kind of attack,” explained Diego.
“Honestly, I have only tested on Windows 7 and Windows 10; then I passed the ball to Microsoft.”
The experts explained that this attack fails against machines with shared folders that are protected with a password, and this is the default option in Windows.
Nonetheless, in many cases the Windows users need to share folders without a password according to their needs, opening their systems for attacks.
Be careful, the ADV170014 is an optional patch, installing it is highly recommended.
Diego was not able to detail why the attack was possible. In previously known attacks leveraging SCF files, to trigger the flaw, the victim should have had to access the folder.
In the attack scenario detailed by Diego, the SCF files are executed just after the attacker place it in the shared folder without needing user’s interaction.
According to Bleepingcomputers.com, Microsoft acknowledged another security researcher, Stefan Kanthak, for reporting the issue.
“While Diego has reported his attack to Microsoft, it was German researcher Stefan Kanthak who got an acknowledgment from Microsoft for the fixed issue, as he too reported similar bugs in March 2017,” reported Bleeping computer.
“Microsoft did (as every so often) a POOR job, the updates published this month close only 2 of the 6 distinct weaknesses I reported,” Kanthak told Bleeping via email, hinting that more ways to exploit pass-the-hash attacks exist.
Diego suggested the following mitigation actions:
“Microsoft created a sort of patch to this vulnerability consisting in changing two registry keys to disable NTLM on the system. This registry keys are available only on Windows 10 and Windows Server 2016, and Microsoft has no intentions to backport to the other versions.
“Another issue is that disabling NTLM will break a lot of environments, and that’s a huge concern for them,” suggested the expert.
“My suggestion is to use strong passwords, after the attack we need to crack the hash, which can take a lot of time if the password is complex and can be frustrating for the attacker.
“The better approach, don’t share folders without passwords, that’ll do the trick.”
Stealing Windows credentials exploiting a Microsoft Outlook flaw
Almost 19 months ago, the security researcher Will Dormann with the CERT Coordination Center (CERT/CC) discovered a severe vulnerability in Microsoft Outlook tracked as CVE-2018-0950.
Two years later, Microsoft only partially addressed the flaw with the April Patch Tuesday updates. The flaw in Microsoft Outlook ties the way Microsoft Outlook renders remotely-hosted OLE content when an RTF (Rich Text Format) an email is previewed and automatically initiates SMB connections.
The CVE-2018-0950 flaw could be exploited by attackers to steal sensitive data such as Windows login credentials by tricking victims into preview an email with Microsoft Outlook.
“Outlook blocks remote web content due to the privacy risk of web bugs. But with a rich text email, the OLE object is loaded with no user interaction. Let’s look at the traffic in Wireshark to see what exactly is being leaked as the result of this automatic remote object loading,” wrote Dormann.
The vulnerability, discovered by Will Dormann of the CERT Coordination Center (CERT/CC), resides in the way Microsoft Outlook renders remotely-hosted OLE content when an RTF (Rich Text Format) email message is previewed and automatically initiates SMB connections.
The attack scenario sees a remote attacker exploiting the vulnerability by sending an RTF email to the victim; the malicious message contains an image file (OLE object) that is loaded from a remote SMB server under the control of the attackers.
“Here we can see that an SMB connection is being automatically negotiated. The only action that triggers this negotiation is Outlook previewing an email that is sent to it.”
The following screenshot shows that IP address, domain name, Username, hostname, SMB session key are being leaked.
Figure 2 – SMB connection data leakage
“Microsoft Outlook will automatically retrieve remote OLE content when an RTF email is previewed. When remote OLE content is hosted on an SMB/CIFS server, the Windows client system will attempt to authenticate with the server using single sign-on (SSO),” states the CERT. “This may leak the user’s IP address, domain name, username, hostname, and password hash. If the user’s password is not complex enough, then an attacker may be able to crack the password in a short amount of time.”
Microsoft Outlook automatically renders OLE content; this means that it will initiate an automatic authentication with the attacker’s controlled remote server over SMB protocol using single sign-on (SSO). This will cause the leak of NTLMv2 hashed version of the password that could be cracked by the attacks with commercial tools and services.
Microsoft attempted to address the flaw in the last security updates, but it only successfully fixed SMB connections automatically when it previews RTF emails, any other SMB attack is still feasible.
“It is important to realize that even with this patch, a user is still a single click away from falling victim to the types of attacks described above,” Dormann added. “For example, if an email message has a UNC-style link that begins with “,” clicking the link initiates an SMB connection to the specified server.”
Figure 3 – Partially fix
Summarizing, the installation of the Microsoft update for CVE-2018-0950 will not fully protect users from the exploitation of this issue.
Users are advised to apply the following mitigations:
- Install the Microsoft update for CVE-2018-0950.
- Block ports 445/tcp, 137/tcp, 139/tcp, along with 137/udp and 139/udp used for SMB sessions.
- Block NT LAN Manager (NTLM) Single Sign-on (SSO) authentication.
- Always strong passwords.
- Never click on suspicious links embedded in emails.
Using Microsoft docs to steal Windows credentials
In January 2018, researchers at security firm Rhino Labs discovered that malicious actors could abuse Microsoft Word feature called subDoc to retrieve NTLM hashes from Windows systems.
The attackers leverage a Word file that loads a sub-document from an SMB server controlled by the attacker.
The SMB server instead of delivering the requested sub-document trick the victim’s PC into handing over the NTLM hash that is used for authentication on a fake domain.
This type of attack is very difficult to detect as explained by the experts; almost any antivirus software did not detect weaponized documents used in this scheme at the time of their discovery.
“As this feature has not been recognized publicly as an attack vector for malicious actions, it is not something that is recognized by anti-virus software,” said Rhino Labs experts.
Rhino Labs has also released a tool, named SubDoc Injector, for generating subDoc-weaponized Word files to allows administrators to test the security of their infrastructure against these attacks.
The SubDoc Injector tool was developed by the notorious former LulzSec member Hector “Sabu” Monsegur.