Відео

Hey Ryan, good question. Within a lot of Windows processes there is authentication occurring under the hood that a normal user is unaware of. Being extremely user-friendly Windows takes care of that for us. However, issues can arise when an attacker finds a way to take advantage of this automatic authentication which is what is occurring here. Essentially, Responder.py is a fake SMB share that, when a victim machine requests a resource like our fake appointment sound file via that UNC path we provide, obtains a victim's NTLM password hash. With that, and attacker could attempt to crack the victims password hash to recover their actual password, or they could even relay that NTLM hash in some cases to authenticate to another service as the victim user. I would recommend reading up on pass-the-hash attacks for more.

@@machevalia You rule. Thanks man.

@NessHype will do! Thanks for the kind words!

Of course! Thanks for the feedback Ronnie!

Responder can be anywhere that is either accessible by the victim on the LAN or on the public Internet. If you have SMB outbound blocked then responder on the local network will still work as long as the victim can reach it. An easy way to test is open file explorer on the victim and in the address bar navigate to \\<responder IP\share and you should be prompted to authenticate to responder. If that isn't working, you may also want to make sure you have a vulnerable version of Outlook installed since there is a patch out.

@@machevalia Thanks, can you please share which Outlook version did you use during your test? I'm running Outlook for Office 365 (16.0.12527.22286) 32-bit and it doesn't seem to work. I checked that SMB outbound isn't blocked on the victim's machine and it can access the share I configured in the PS script.

Interesting, I am not sure without going fully into troubleshooting it. I know the patches version is 16.0.16130.20306+ so it looks like you should be good. May just have to play around with it some more. I haven't done much with it since the video but I had varying degrees of success with different versions of Outlook, network configurations, and each of the various PoCs. Its a finicky one.

@@machevalia Thanks! it was an environmental issue on my end. I managed to resolve this! Do you by chance know where the UNC path is stored in the .EML file? I couldn't find it which is truly interesting that this info doesn't show but can triggered regardless.

​@@subtlER0X Can I ask what environmental issue you were having and what you did to resolve it? I seem to be having the same issue as you.

Sounds like you need to make sure your "victim" running Outlook can access the IP address of the machine running responder. If you're using a virtual machine for Responder, check the NIC settings.

Oh cool! Great job with the script. I have not gotten a chance to do much else with it after making this but I'll let you know if I do!

I successfully received the local ntlm hash during local testing, but only once. When I tried to modify it and send it to the remote user, I did not receive the hash but only an IPC connection.

@@user-ud7ey4ld2s same as you! I cant replicate this more than once.

Thanks for the feedback!!