Today we are demonstrating
stealing NTLM hashes through a pdf file. We have already discussed the various
method to Capture NTLM Hashes in a Network in our previous
article. Recently a new tool has launched “Bad-PDF" and in this article,
we are sharing our experience.
Bad-PDF create malicious
PDF to steal NTLM(NTLMv1/NTLMv2) Hashes from windows machines, it utilizes
vulnerability disclosed by checkpoint team to create the malicious PDF file.
Bad-Pdf reads the NTLM hashes using Responder listener.
This method work for all
PDF readers(Any version) and java scripts are not required for this attack,
most of the EDR/Endpoint solution fail to detect this attack.
git clone https://github.com/deepzec/Bad-Pdf.git
cd Bad.Pdf
ls
chmod 777 badpadf.py
Now run the python file with the help of following command
given below:
python badpdf.py
Then it will try to connect with Responder through its
default path i.e. /user/bin /responder but in our case, the location of the
responder is user/sbin/responder. After then it will ask your network IP, the
name of the output file and interface name, submit this information as per your
network.
Then it will create a malicious pdf file with name bad.pdf,
now transfer this pdf file to your target.
So, when the victim will click
our malicious file, his NTLM hash will be captured as shown in below image. Here
you can observe username ‘raj’ along with its hash password. Now copy the hash
value in a text document so that you can crack this hash value for retrieving
the password.
We have paste the hash value in a text file and save it as
"hash" on the desktop. Later we had used John the ripper for cracking
the hash.
john hash
Awesome!!! We have retrieved password: 133 for user: raj.
0 comments:
Post a Comment