ntlm_theft: generating multiple types of NTLMv2 hash theft files

by do son ·

ntlm_theft

A tool for generating multiple types of NTLMv2 hash theft files.

ntlm_theft is an Open Source Python3 Tool that generates 21 different types of hash theft documents. These can be used for phishing when either the target allows smb traffic outside their network, or if you are already inside the internal network.

The benefits of these file types over say macro-based documents or exploit documents are that all of these are built using “intended functionality”. None were flagged by Windows Defender Antivirus on June 2020, and 17 of the 21 attacks worked on a fully patched Windows 10 host.

ntlm_theft supports the following attack types:

  • Browse to Folder Containing
    • .url – via URL field
    • .url – via ICONFILE field
    • .lnk – via icon_location field
    • .scf – via ICONFILE field (Not Working on Latest Windows)
    • autorun.inf via OPEN field (Not Working on Latest Windows)
    • desktop.ini – via IconResource field (Not Working on Latest Windows)
  • Open Document
    • .xml – via Microsoft Word external stylesheet
    • .xml – via Microsoft Word includepicture field
    • .htm – via Chrome & IE & Edge img src (only if opened locally, not hosted)
    • .docx – via Microsoft Word includepicture field
    • .docx – via Microsoft Word external template
    • .docx – via Microsoft Word frameset webSettings
    • .xlsx – via Microsoft Excel external cell
    • .wax – via Windows Media Player playlist (Better, primary open)
    • .asx – via Windows Media Player playlist (Better, primary open)
    • .m3u – via Windows Media Player playlist (Worse, Win10 opens first in Groovy)
    • .jnlp – via Java external jar
    • .application – via any Browser (Must be served via a browser downloaded or won’t run)
  • Open Document and Accept Popup
    • .pdf – via Adobe Acrobat Reader
  • Click Link in Chat Program
    • .txt – formatted link to paste into Zoom chat

Usecases (Why you want to run this)

ntlm_theft is primarily aimed at Penetration Testers and Red Teamers, who will use it to perform internal phishing on target company employees, or to mass test antivirus and email gateways. It may also be used for external phishing if outbound SMB access is allowed on the perimeter firewall.

I’ve found it useful while penetration testing to easily see what file types I have available to me, rather than spending time configuring a specific attack as would be used on red teaming engagements. You could send a .rtf or .docx file to the HR department, and a .xlsx spreadsheet doc to the finance department.

Install & Use

Copyright (C) 2020 Jacob Wilkin

Tags: NTLMv2 hash theft files