How to Steal Windows Login Credentials Abusing the Server Message Block (SMB) Protocol

Hackers, cybercriminals, and cyber spies continuously devise new techniques to improve their attacks, in some cases, these methods are first detected when threat actors use them in the wild.

Malicious emails are privileged vectors for hacking campaigns and
weaponized documents
 are the main ingredient for almost any spam and spear-phishing attack

Typically, weaponized documents are crafted to exploit specific vulnerabilities in applications running on victims’ machines, but in some cases, they can leverage native features of the software to start the attack chain.

In this post, we will explore the main techniques to steal Windows credentials by abusing the Server Message Block (SMB) protocol.

One of the first cases I desire to analyze was first reported by the Assaf Baharav, a security expert at Check Point.

Baharav explained that weaponized PDF files could be used by threat actors to steal Windows credentials, to be precise the associated NTLM hashes, without any user interaction.

The researcher explained that the attackers just need to trick victims into opening a specially crafted file.

Rather than exploiting a vulnerability in Microsoft Word files or RTF files, threat actors could take advantage of features natively found in the PDF standard to steal NTLM hashes.

“The attacker can then use this to inject malicious content into a PDF and so when that PDF is opened, the target automatically leaks credentials in the form of NTLM hashes,” wrote Baharav.

The structure of a PDF file is composed of several objects, such as Boolean values, Integers and real numbers, strings, names, arrays, streams, the null object, and dictionaries.

A dictionary object is a table containing pairs of objects, called entries (a key and a value). The researcher used a specially crafted PDF document for his proof-of-concept by injecting specific content in the above entries.

“By injecting a malicious entry (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Pierluigi Paganini. Read the original post at: