Password hash leak via email attachment
Yesterday I saw a laptop running Windows 10. Nothing special but the user used his Microsoft account in Windows 10. I thought it would interesting to see how it works...Especially because Microsoft pushes users to use a Microsoft account instead of a local account https://www.bleepingcomputer.com/news/microsoft/microsoft-wants-to-do-away-with-windows-10-local-accounts/ Long story short: When a Microsoft account is used in Windows 10 it is possible to get the accounts password hash (and used email address) when a user clicks on a link inside an email or opens a html attachment. To get the users password hash I basically used the fact that Windows responds to SMB authentication requests using the user´s credentials. Doing it this way the user don´t has to provide credentials for each individual server. The downside is that any server can request authentication and Windows will respond. In enterprise environments mitigations like SMB signing or GPOs ( https://docs.microsoft.com/en-us...
